Add policy for auto_fix

Only Maintainer can modify it. Expose it with Configuration json

Add policy for auto_fix
Only Maintainer can modify it. Expose it with Configuration json
1e09a677 · Tetiana Chupryna · Igor Drozdov · 81d437ab · 1e09a677 · 1e09a677
Commit 1e09a677 authored Jun 04, 2020 by Tetiana Chupryna Committed by Igor Drozdov Jun 04, 2020
6 changed files
--- a/ee/app/controllers/projects/security/configuration_controller.rb
+++ b/ee/app/controllers/projects/security/configuration_controller.rb
@@ -12,7 +12,13 @@ module Projects
      end

      def show
-        @configuration = ConfigurationPresenter.new(project)
+        @configuration = ConfigurationPresenter.new(project, auto_fix_permission: auto_fix_permission)
+      end
+
+      private
+
+      def auto_fix_permission
+        can?(current_user, :modify_auto_fix_setting, project)
      end
    end
  end

--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -279,6 +279,7 @@ module EE
        enable :admin_feature_flags_client
        enable :modify_approvers_rules
        enable :modify_approvers_list
+        enable :modify_auto_fix_setting
        enable :modify_merge_request_author_setting
        enable :modify_merge_request_committer_setting
      end
@@ -331,6 +332,8 @@ module EE
      rule { ~admin & owner & owner_cannot_destroy_project }.prevent :remove_project

      rule { archived }.policy do
+        prevent :modify_auto_fix_setting
+
        READONLY_FEATURES_WHEN_ARCHIVED.each do |feature|
          prevent(*::ProjectPolicy.create_update_admin_destroy(feature))
        end

--- a/ee/app/presenters/projects/security/configuration_presenter.rb
+++ b/ee/app/presenters/projects/security/configuration_presenter.rb
@@ -52,7 +52,7 @@ module Projects
            dependency_scanning: true,
            container_scanning: true
          }.to_json,
-          can_toggle_auto_fix_settings: true, # To be replaced with the real value in https://gitlab.com/gitlab-org/gitlab/-/merge_requests/32783
+          can_toggle_auto_fix_settings: auto_fix_permission,
          auto_fix_user_path: '/' # TODO: real link will be updated with https://gitlab.com/gitlab-org/gitlab/-/issues/215669
        }
      end

--- a/ee/changelogs/unreleased/215668-policy-for-auto-fix.yml
+++ b/ee/changelogs/unreleased/215668-policy-for-auto-fix.yml
+---
+title: Add policy for auto_fix
+merge_request: 32783
+author:
+type: added
--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -41,7 +41,9 @@ describe ProjectPolicy do
        admin_vulnerability_issue_link read_merge_train
      ]
    end
-    let(:additional_maintainer_permissions) { %i[push_code_to_protected_branches admin_feature_flags_client] }
+    let(:additional_maintainer_permissions) do
+      %i[push_code_to_protected_branches admin_feature_flags_client modify_auto_fix_setting]
+    end
    let(:auditor_permissions) do
      %i[
        download_code download_wiki_code read_project read_board read_list

--- a/ee/spec/presenters/projects/security/configuration_presenter_spec.rb
+++ b/ee/spec/presenters/projects/security/configuration_presenter_spec.rb
@@ -14,7 +14,7 @@ describe Projects::Security::ConfigurationPresenter do
  end

  describe '#to_h' do
-    subject { described_class.new(project).to_h }
+    subject { described_class.new(project, auto_fix_permission: true).to_h }

    it 'includes links to auto devops and secure product docs' do
      expect(subject[:auto_devops_help_page_path]).to eq(help_page_path('topics/autodevops/index'))
@@ -36,6 +36,10 @@ describe Projects::Security::ConfigurationPresenter do
        expect(subject[:auto_devops_enabled]).to be_truthy
      end

+      it 'reports auto_fix permissions' do
+        expect(subject[:can_toggle_auto_fix_settings]).to be_truthy
+      end
+
      it 'reports that all security jobs are configured' do
        expect(Gitlab::Json.parse(subject[:features])).to contain_exactly(
          security_scan(:dast, configured: true),