5 files changed, 18 insertions, 2 deletions

diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 9f9f5230040..dfbad4627eb 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -187,6 +187,7 @@ class ProjectPolicy < BasePolicy
 
   rule { can?(:reporter_access) }.policy do
     enable :download_code
+    enable :read_statistics
     enable :download_wiki_code
     enable :fork_project
     enable :create_project_snippet
diff --git a/changelogs/unreleased/fix-hidden-statistics.yml b/changelogs/unreleased/fix-hidden-statistics.yml
new file mode 100644
index 00000000000..4d99bd00136
--- /dev/null
+++ b/changelogs/unreleased/fix-hidden-statistics.yml
@@ -0,0 +1,5 @@
+---
+title: Show statistics also when repository is disabled
+merge_request: 26509
+author: Peter Marko
+type: fixed
diff --git a/doc/user/permissions.md b/doc/user/permissions.md
index adc0f4d568b..a340dd063e4 100644
--- a/doc/user/permissions.md
+++ b/doc/user/permissions.md
@@ -119,7 +119,7 @@ The following table depicts the various user permission levels in a project.
 | Force push to protected branches [^4] |         |            |             |          |        |
 | Remove protected branches [^4]        |         |            |             |          |        |
 | View project Audit Events             |         |            |             | ✓        | ✓      |
-| View project statistics               |         |            |             | ✓        | ✓      |
+| View project statistics               |         | ✓          | ✓           | ✓        | ✓      |
 
 ## Project features permissions
 
diff --git a/lib/api/entities.rb b/lib/api/entities.rb
index 611523a2444..6fd267ff2ed 100644
--- a/lib/api/entities.rb
+++ b/lib/api/entities.rb
@@ -275,7 +275,7 @@ module API
       expose :printing_merge_request_link_enabled
       expose :merge_method
       expose :statistics, using: 'API::Entities::ProjectStatistics', if: -> (project, options) {
-        options[:statistics] && Ability.allowed?(options[:current_user], :download_code, project)
+        options[:statistics] && Ability.allowed?(options[:current_user], :read_statistics, project)
       }
 
       # rubocop: disable CodeReuse/ActiveRecord
diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb
index 60d9d7fed13..4c3c088b307 100644
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -1183,6 +1183,16 @@ describe API::Projects do
           expect(response).to have_gitlab_http_status(200)
           expect(json_response).to include 'statistics'
         end
+
+        it "includes statistics also when repository is disabled" do
+          project.add_developer(user)
+          project.project_feature.update_attribute(:repository_access_level, ProjectFeature::DISABLED)
+
+          get api("/projects/#{project.id}", user), params: { statistics: true }
+
+          expect(response).to have_gitlab_http_status(200)
+          expect(json_response).to include 'statistics'
+        end
       end
 
       it "includes import_error if user can admin project" do