[ResponseOps][Alerting] Hiding all features in a space causes rules to stop running

x-pack/plugins/alerting/server/authorization/alerting_authorization.test.ts

@@ -550,6 +550,55 @@ describe('AlertingAuthorization', () => {
       });
     });
 
+    test('ensures the user has privileges to execute alerts when all features are disabled', async () => {
+      features.getKibanaFeatures.mockReturnValue([]);
+      const { authorization } = mockSecurity();
+      const checkPrivileges: jest.MockedFunction<
+        ReturnType<typeof authorization.checkPrivilegesDynamicallyWithRequest>
+      > = jest.fn();
+      authorization.checkPrivilegesDynamicallyWithRequest.mockReturnValue(checkPrivileges);
+      const alertAuthorization = new AlertingAuthorization({
+        request,
+        authorization,
+        ruleTypeRegistry,
+        features,
+        getSpace,
+        getSpaceId,
+      });
+
+      checkPrivileges.mockResolvedValueOnce({
+        username: 'some-user',
+        hasAllRequested: true,
+        privileges: { kibana: [] },
+      });
+
+      await alertAuthorization.ensureAuthorized({
+        ruleTypeId: 'myType',
+        consumer: 'alerts',
+        operation: WriteOperations.Update,
+        entity: AlertingAuthorizationEntity.Alert,
+      });
+
+      expect(ruleTypeRegistry.get).toHaveBeenCalledWith('myType');
+
+      expect(authorization.actions.alerting.get).toHaveBeenCalledTimes(2);
+      expect(authorization.actions.alerting.get).toHaveBeenCalledWith(
+        'myType',
+        'alerts',
+        'alert',
+        'update'
+      );
+      expect(authorization.actions.alerting.get).toHaveBeenCalledWith(
+        'myType',
+        'myApp',
+        'alert',
+        'update'
+      );
+      expect(checkPrivileges).toHaveBeenCalledWith({
+        kibana: [mockAuthorizationAction('myType', 'myApp', 'alert', 'update')],
+      });
+    });
+
     test('throws if user lacks the required rule privileges for the consumer', async () => {
       const { authorization } = mockSecurity();
       const checkPrivileges: jest.MockedFunction<

x-pack/plugins/alerting/server/authorization/alerting_authorization.ts

@@ -128,12 +128,10 @@ export class AlertingAuthorization {
       });
 
     this.allPossibleConsumers = this.featuresIds.then((featuresIds) => {
-      return featuresIds.size
-        ? asAuthorizedConsumers([ALERTS_FEATURE_ID, ...featuresIds], {
-            read: true,
-            all: true,
-          })
-        : {};
+      return asAuthorizedConsumers([ALERTS_FEATURE_ID, ...featuresIds], {
+        read: true,
+        all: true,
+      });
     });
   }
 

x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/create.ts

@@ -260,13 +260,6 @@ export default function createAlertTests({ getService }: FtrProviderContext) {
           switch (scenario.id) {
             case 'no_kibana_privileges at space1':
             case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: getConsumerUnauthorizedErrorMessage('create', 'test.noop', 'alerts'),
-                statusCode: 403,
-              });
-              break;
             case 'global_read at space1':
               expect(response.statusCode).to.eql(403);
               expect(response.body).to.eql({

x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/delete.ts

@@ -224,17 +224,9 @@ export default function createDeleteTests({ getService }: FtrProviderContext) {
             .auth(user.username, user.password);
 
           switch (scenario.id) {
+            case 'global_read at space1':
             case 'no_kibana_privileges at space1':
             case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: getConsumerUnauthorizedErrorMessage('delete', 'test.noop', 'alerts'),
-                statusCode: 403,
-              });
-              objectRemover.add(space.id, createdAlert.id, 'rule', 'alerting');
-              break;
-            case 'global_read at space1':
               expect(response.statusCode).to.eql(403);
               expect(response.body).to.eql({
                 error: 'Forbidden',

x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/enable.ts

@@ -265,13 +265,6 @@ export default function createEnableAlertTests({ getService }: FtrProviderContex
           switch (scenario.id) {
             case 'no_kibana_privileges at space1':
             case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: getConsumerUnauthorizedErrorMessage('enable', 'test.noop', 'alerts'),
-                statusCode: 403,
-              });
-              break;
             case 'global_read at space1':
               expect(response.statusCode).to.eql(403);
               expect(response.body).to.eql({

x-pack/test/alerting_api_integration/security_and_spaces/group1/tests/alerting/get.ts

@@ -231,17 +231,6 @@ const getTestUtils = (
           switch (scenario.id) {
             case 'no_kibana_privileges at space1':
             case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: getConsumerUnauthorizedErrorMessage(
-                  'get',
-                  'test.restricted-noop',
-                  'alerts'
-                ),
-                statusCode: 403,
-              });
-              break;
             case 'space_1_all at space1':
             case 'space_1_all_alerts_none_actions at space1':
               expect(response.statusCode).to.eql(403);

x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/mute_all.ts

@@ -254,17 +254,6 @@ export default function createMuteAlertTests({ getService }: FtrProviderContext)
           switch (scenario.id) {
             case 'no_kibana_privileges at space1':
             case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: getConsumerUnauthorizedErrorMessage(
-                  'muteAll',
-                  'test.restricted-noop',
-                  'alerts'
-                ),
-                statusCode: 403,
-              });
-              break;
             case 'global_read at space1':
             case 'space_1_all at space1':
             case 'space_1_all_alerts_none_actions at space1':

x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/mute_instance.ts

@@ -254,17 +254,6 @@ export default function createMuteAlertInstanceTests({ getService }: FtrProvider
           switch (scenario.id) {
             case 'no_kibana_privileges at space1':
             case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: getConsumerUnauthorizedErrorMessage(
-                  'muteAlert',
-                  'test.restricted-noop',
-                  'alerts'
-                ),
-                statusCode: 403,
-              });
-              break;
             case 'global_read at space1':
             case 'space_1_all at space1':
             case 'space_1_all_alerts_none_actions at space1':

x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/snooze.ts

@@ -284,17 +284,6 @@ export default function createSnoozeRuleTests({ getService }: FtrProviderContext
           switch (scenario.id) {
             case 'no_kibana_privileges at space1':
             case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: getConsumerUnauthorizedErrorMessage(
-                  'snooze',
-                  'test.restricted-noop',
-                  'alerts'
-                ),
-                statusCode: 403,
-              });
-              break;
             case 'global_read at space1':
             case 'space_1_all at space1':
             case 'space_1_all_alerts_none_actions at space1':

x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/unmute_all.ts

@@ -274,17 +274,6 @@ export default function createUnmuteAlertTests({ getService }: FtrProviderContex
           switch (scenario.id) {
             case 'no_kibana_privileges at space1':
             case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: getConsumerUnauthorizedErrorMessage(
-                  'unmuteAll',
-                  'test.restricted-noop',
-                  'alerts'
-                ),
-                statusCode: 403,
-              });
-              break;
             case 'global_read at space1':
             case 'space_1_all at space1':
             case 'space_1_all_alerts_none_actions at space1':

x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/unmute_instance.ts

@@ -274,17 +274,6 @@ export default function createMuteAlertInstanceTests({ getService }: FtrProvider
           switch (scenario.id) {
             case 'no_kibana_privileges at space1':
             case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: getConsumerUnauthorizedErrorMessage(
-                  'unmuteAlert',
-                  'test.restricted-noop',
-                  'alerts'
-                ),
-                statusCode: 403,
-              });
-              break;
             case 'global_read at space1':
             case 'space_1_all at space1':
             case 'space_1_all_alerts_none_actions at space1':

x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/update.ts

@@ -378,17 +378,6 @@ export default function createUpdateTests({ getService }: FtrProviderContext) {
           switch (scenario.id) {
             case 'no_kibana_privileges at space1':
             case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: getConsumerUnauthorizedErrorMessage(
-                  'update',
-                  'test.restricted-noop',
-                  'alerts'
-                ),
-                statusCode: 403,
-              });
-              break;
             case 'global_read at space1':
             case 'space_1_all at space1':
             case 'space_1_all_alerts_none_actions at space1':

x-pack/test/alerting_api_integration/security_and_spaces/group2/tests/alerting/update_api_key.ts

@@ -247,17 +247,6 @@ export default function createUpdateApiKeyTests({ getService }: FtrProviderConte
           switch (scenario.id) {
             case 'no_kibana_privileges at space1':
             case 'space_1_all at space2':
-              expect(response.statusCode).to.eql(403);
-              expect(response.body).to.eql({
-                error: 'Forbidden',
-                message: getConsumerUnauthorizedErrorMessage(
-                  'updateApiKey',
-                  'test.restricted-noop',
-                  'alerts'
-                ),
-                statusCode: 403,
-              });
-              break;
             case 'global_read at space1':
             case 'space_1_all at space1':
             case 'space_1_all_alerts_none_actions at space1':