From 1cd24e1992c91f02a8313758e0f7e81a4ff162ec Mon Sep 17 00:00:00 2001
From: Klaus Zanders <k.zanders@openproject.com>
Date: Tue, 31 Mar 2026 11:06:01 +0200
Subject: [PATCH] Add spec for not granted to admin permission

---
 .../user_permissible_service_spec.rb          | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/spec/services/authorization/user_permissible_service_spec.rb b/spec/services/authorization/user_permissible_service_spec.rb
index 8ab0dac284a..b305c14299f 100644
--- a/spec/services/authorization/user_permissible_service_spec.rb
+++ b/spec/services/authorization/user_permissible_service_spec.rb
@@ -118,6 +118,25 @@ RSpec.describe Authorization::UserPermissibleService do
         end
       end
 
+      context "and the user is an admin but the permission is not granted to admins" do
+        include_context "with blank access control state"
+
+        before do
+          OpenProject::AccessControl.map do |map|
+            map.permission :not_granted_to_admin_global,
+                           {},
+                           permissible_on: :global,
+                           require: :loggedin,
+                           grant_to_admin: false
+          end
+        end
+
+        let(:queried_user) { admin }
+        let(:permission) { :not_granted_to_admin_global }
+
+        it { is_expected.not_to be_allowed_globally(permission) }
+      end
+
       it_behaves_like "the Authorization.roles scope used" do
         let(:context) { nil }
         subject { service.allowed_globally?(permission) }