Make subgroup_creation_level default to maintainer at SQL level

- Migration updates existing groups to "owner", then sets default to
  "maintainer" so that new groups will default to that
- Update spec examples

db/migrate/20190626175626_add_group_creation_level_to_namespaces.rb

@@ -12,6 +12,7 @@ class AddGroupCreationLevelToNamespaces < ActiveRecord::Migration[5.1]
                               :subgroup_creation_level,
                               :integer,
                               default: 0)
+      change_column_default(:namespaces, :subgroup_creation_level, 1)
     end
   end
 

db/schema.rb

@@ -2112,7 +2112,7 @@ ActiveRecord::Schema.define(version: 20190628145246) do
     t.integer "extra_shared_runners_minutes_limit"
     t.string "ldap_sync_status", default: "ready", null: false
     t.boolean "membership_lock", default: false
-    t.integer "subgroup_creation_level", default: 0, null: false
+    t.integer "subgroup_creation_level", default: 1, null: false
     t.index ["created_at"], name: "index_namespaces_on_created_at", using: :btree
     t.index ["custom_project_templates_group_id", "type"], name: "index_namespaces_on_custom_project_templates_group_id_and_type", where: "(custom_project_templates_group_id IS NOT NULL)", using: :btree
     t.index ["file_template_project_id"], name: "index_namespaces_on_file_template_project_id", using: :btree

spec/controllers/admin/groups_controller_spec.rb

@@ -70,14 +70,13 @@ describe Admin::GroupsController do
     end
 
     it 'updates the subgroup_creation_level successfully' do
-      MAINTAINER = ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS
+      OWNER = ::Gitlab::Access::OWNER_SUBGROUP_ACCESS
 
       expect do
         post :update,
              params: { id: group.to_param,
-                       group: { subgroup_creation_level: MAINTAINER } }
-      end.to change { group.reload.subgroup_creation_level }
-               .to(MAINTAINER)
+                       group: { subgroup_creation_level: OWNER } }
+      end.to change { group.reload.subgroup_creation_level }.to(OWNER)
     end
   end
 end

spec/factories/groups.rb

@@ -5,7 +5,6 @@ FactoryBot.define do
     type 'Group'
     owner nil
     project_creation_level ::Gitlab::Access::MAINTAINER_PROJECT_ACCESS
-    subgroup_creation_level ::Gitlab::Access::OWNER_SUBGROUP_ACCESS
 
     after(:create) do |group|
       if group.owner
@@ -46,5 +45,9 @@ FactoryBot.define do
     trait :auto_devops_disabled do
       auto_devops_enabled false
     end
+
+    trait :owner_subgroup_creation_only do
+      subgroup_creation_level ::Gitlab::Access::OWNER_SUBGROUP_ACCESS
+    end
   end
 end

spec/features/groups/show_spec.rb

@@ -72,10 +72,11 @@ describe 'Group show page' do
       context 'when subgroups are supported', :js, :nested_groups do
         before do
           allow(Group).to receive(:supports_nested_objects?) { true }
-          visit path
         end
 
         it 'allows creating subgroups' do
+          visit path
+
           expect(page)
             .to have_css("li[data-text='New subgroup']", visible: false)
         end
@@ -84,10 +85,11 @@ describe 'Group show page' do
       context 'when subgroups are not supported' do
         before do
           allow(Group).to receive(:supports_nested_objects?) { false }
-          visit path
         end
 
         it 'does not allow creating subgroups' do
+          visit path
+
           expect(page)
             .not_to have_selector("li[data-text='New subgroup']", visible: false)
         end
@@ -102,10 +104,9 @@ describe 'Group show page' do
       context 'when subgroups are supported', :js, :nested_groups do
         before do
           allow(Group).to receive(:supports_nested_objects?) { true }
-          visit path
         end
 
-        context 'when subgroup_creation_level is set to maintainer' do
+        context 'when subgroup_creation_level is set to maintainers' do
           let(:group) do
             create(:group,
                    subgroup_creation_level: ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS)
@@ -113,7 +114,9 @@ describe 'Group show page' do
 
           it 'allows creating subgroups' do
             visit path
-            expect(page).to have_css("li[data-text='New subgroup']", visible: false)
+
+            expect(page)
+              .to have_css("li[data-text='New subgroup']", visible: false)
           end
         end
 
@@ -125,6 +128,7 @@ describe 'Group show page' do
 
           it 'does not allow creating subgroups' do
             visit path
+
             expect(page)
               .not_to have_css("li[data-text='New subgroup']", visible: false)
           end
@@ -134,10 +138,11 @@ describe 'Group show page' do
       context 'when subgroups are not supported' do
         before do
           allow(Group).to receive(:supports_nested_objects?) { false }
-          visit path
         end
 
         it 'does not allow creating subgroups' do
+          visit path
+
           expect(page)
             .not_to have_selector("li[data-text='New subgroup']", visible: false)
         end

spec/models/group_spec.rb

@@ -997,9 +997,8 @@ describe Group do
 
   describe 'subgroup_creation_level' do
     it 'defaults to maintainers' do
-      group = create (:group)
-
-      expect(group.subgroup_creation_level).to eq(Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS)
+      expect(group.subgroup_creation_level)
+        .to eq(Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS)
     end
   end
 end

spec/policies/group_policy_spec.rb

@@ -98,7 +98,32 @@ describe GroupPolicy do
   context 'maintainer' do
     let(:current_user) { maintainer }
 
+    context 'with subgroup_creation level set to maintainer' do
+      let(:group) { create(:group,
+                           :private,
+                           subgroup_creation_level: ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS) }
+
       it do
+        allow(Group).to receive(:supports_nested_objects?).and_return(true)
+
+        create_subgroup_permission = [:create_subgroup]
+        updated_maintainer_permissions =
+          maintainer_permissions + create_subgroup_permission
+        updated_owner_permissions =
+          owner_permissions - create_subgroup_permission
+
+        expect_allowed(*guest_permissions)
+        expect_allowed(*reporter_permissions)
+        expect_allowed(*developer_permissions)
+        expect_allowed(*updated_maintainer_permissions)
+        expect_disallowed(*updated_owner_permissions)
+      end
+    end
+
+    context 'with subgroup_creation_level set to owner' do
+      it do
+        allow(Group).to receive(:supports_nested_objects?).and_return(true)
+
         expect_allowed(*guest_permissions)
         expect_allowed(*reporter_permissions)
         expect_allowed(*developer_permissions)
@@ -106,6 +131,7 @@ describe GroupPolicy do
         expect_disallowed(*owner_permissions)
       end
     end
+  end
 
   context 'owner' do
     let(:current_user) { owner }
@@ -181,7 +207,10 @@ describe GroupPolicy do
   end
 
   describe 'private nested group use the highest access level from the group and inherited permissions', :nested_groups do
-    let(:nested_group) { create(:group, :private, parent: group) }
+    let(:nested_group) { create(:group,
+                                :private,
+                                :owner_subgroup_creation_only,
+                                parent: group) }
 
     before do
       nested_group.add_guest(guest)

spec/requests/api/groups_spec.rb

@@ -803,10 +803,10 @@ describe API::Groups do
           group2.add_maintainer(user1)
         end
 
-        it 'cannot create subgroups' do
+        it 'can create subgroups' do
           post api("/groups", user1), params: { parent_id: group2.id, name: 'foo', path: 'foo' }
 
-          expect(response).to have_gitlab_http_status(403)
+          expect(response).to have_gitlab_http_status(201)
         end
       end
     end

spec/support/shared_contexts/policies/group_policy_shared_context.rb

@@ -7,7 +7,7 @@ RSpec.shared_context 'GroupPolicy context' do
   let(:maintainer) { create(:user) }
   let(:owner) { create(:user) }
   let(:admin) { create(:admin) }
-  let(:group) { create(:group, :private) }
+  let(:group) { create(:group, :private, :owner_subgroup_creation_only) }
 
   let(:guest_permissions) do
     %i[