Disable access to projects by instance security dashboard

2fbb28cd · Mehmet Emin INAC · Stan Hu · 5a1517a5 · 2fbb28cd · 2fbb28cd
Commit 2fbb28cd authored Feb 04, 2021 by Mehmet Emin INAC Committed by Stan Hu Feb 10, 2021
Showing with 37 additions and 4 deletions

ee/app/models/instance_security_dashboard.rb ee/app/models/instance_security_dashboard.rb +1 -0

ee/spec/models/instance_security_dashboard_spec.rb ee/spec/models/instance_security_dashboard_spec.rb +36 -4

No files found.
--- a/ee/app/models/instance_security_dashboard.rb
+++ b/ee/app/models/instance_security_dashboard.rb
@@ -24,6 +24,7 @@ class InstanceSecurityDashboard

  def projects
    Project.where(id: visible_users_security_dashboard_projects)
+           .with_feature_available_for_user(:security_and_compliance, user)
  end

  def vulnerabilities

--- a/ee/spec/models/instance_security_dashboard_spec.rb
+++ b/ee/spec/models/instance_security_dashboard_spec.rb
@@ -85,8 +85,24 @@ RSpec.describe InstanceSecurityDashboard do

  describe '#projects' do
    context 'when the user cannot read all resources' do
-      it 'returns only projects on their dashboard that they can read' do
-        expect(subject.projects).to contain_exactly(project1)
+      context 'when the `security_and_compliance` is enabled for the project' do
+        before do
+          ProjectFeature.update_all(security_and_compliance_access_level: Featurable::ENABLED)
+        end
+
+        it 'returns only projects on their dashboard that they can read' do
+          expect(subject.projects).to contain_exactly(project1)
+        end
+      end
+
+      context 'when the `security_and_compliance` is disabled for the project' do
+        before do
+          project1.project_feature.update_column(:security_and_compliance_access_level, Featurable::DISABLED)
+        end
+
+        it 'returns only projects on their dashboard that they can read' do
+          expect(subject.projects).to be_empty
+        end
      end
    end

@@ -94,8 +110,24 @@ RSpec.describe InstanceSecurityDashboard do
      let(:project_ids) { [project1.id, project2.id] }
      let(:user) { create(:auditor) }

-      it "returns all projects on the user's dashboard" do
-        expect(subject.projects).to contain_exactly(project1, project2, project3)
+      context 'when the `security_and_compliance` is enabled for the project' do
+        before do
+          ProjectFeature.update_all(security_and_compliance_access_level: Featurable::ENABLED)
+        end
+
+        it "returns all projects on the user's dashboard" do
+          expect(subject.projects).to contain_exactly(project1, project2, project3)
+        end
+      end
+
+      context 'when the `security_and_compliance` is disabled for the project' do
+        before do
+          project1.project_feature.update_column(:security_and_compliance_access_level, Featurable::DISABLED)
+        end
+
+        it "returns only the feature enabled projects on the user's dashboard" do
+          expect(subject.projects).to contain_exactly(project2, project3)
+        end
      end
    end
  end