From 811b878eaa88c8abe54c4eddce2ef0e8e2929211 Mon Sep 17 00:00:00 2001
From: Andrew Rumble <andrew.rumble@overleaf.com>
Date: Thu, 24 Jul 2025 16:49:16 +0100
Subject: [PATCH] Add view-split-test and modify-split-test capabilities

GitOrigin-RevId: 3f0752aec332c386ece72d2447d39126065ddb35
---
 .../src/Features/UserMembership/UserMembershipMiddleware.js  | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/services/web/app/src/Features/UserMembership/UserMembershipMiddleware.js b/services/web/app/src/Features/UserMembership/UserMembershipMiddleware.js
index f125496874..46651ffbb3 100644
--- a/services/web/app/src/Features/UserMembership/UserMembershipMiddleware.js
+++ b/services/web/app/src/Features/UserMembership/UserMembershipMiddleware.js
@@ -7,6 +7,7 @@ const EntityConfigs = require('./UserMembershipEntityConfigs')
 const Errors = require('../Errors/Errors')
 const HttpErrorHandler = require('../Errors/HttpErrorHandler')
 const TemplatesManager = require('../Templates/TemplatesManager')
+const { useAdminCapabilities } = require('../Helpers/AdminAuthorizationHelper')
 
 // set of middleware arrays or functions that checks user access to an entity
 // (publisher, institution, group, template, etc.)
@@ -185,16 +186,20 @@ const UserMembershipMiddleware = {
 
   requireSplitTestMetricsAccess: [
     AuthenticationController.requireLogin(),
+    useAdminCapabilities,
     allowAccessIfAny([
       UserMembershipAuthorization.hasStaffAccess('splitTestMetrics'),
       UserMembershipAuthorization.hasStaffAccess('splitTestManagement'),
+      UserMembershipAuthorization.hasAdminCapability('view-split-test'),
     ]),
   ],
 
   requireSplitTestManagementAccess: [
     AuthenticationController.requireLogin(),
+    useAdminCapabilities,
     allowAccessIfAny([
       UserMembershipAuthorization.hasStaffAccess('splitTestManagement'),
+      UserMembershipAuthorization.hasAdminCapability('modify-split-test'),
     ]),
   ],