Merge branch 'add-new-policy-for-ondemand-scans-218685' into 'master'

Add new ondemand scan ability to project policy See merge request gitlab-org/gitlab!34476

Merge branch 'add-new-policy-for-ondemand-scans-218685' into 'master'
Add new ondemand scan ability to project policy See merge request gitlab-org/gitlab!34476
4f6c629d · Ash McKenzie · 01e3ab93 · b8366bd3 · 4f6c629d · 4f6c629d
Commit 4f6c629d authored Jun 18, 2020 by Ash McKenzie
3 changed files
--- a/ee/app/graphql/mutations/pipelines/run_dast_scan.rb
+++ b/ee/app/graphql/mutations/pipelines/run_dast_scan.rb
@@ -27,7 +27,7 @@ module Mutations
               required: true,
               description: 'The type of scan to be run.'

-      authorize :create_pipeline
+      authorize :run_ondemand_dast_scan

      def resolve(project_path:, target_url:, branch:, scan_type:)
        project = authorized_find!(full_path: project_path)

--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -259,6 +259,7 @@ module EE
        enable :admin_feature_flag
        enable :admin_feature_flags_user_lists
        enable :read_ci_minutes_quota
+        enable :run_ondemand_dast_scan
      end

      rule { can?(:developer_access) & iterations_available }.policy do

--- a/ee/spec/graphql/mutations/pipelines/run_dast_scan_spec.rb
+++ b/ee/spec/graphql/mutations/pipelines/run_dast_scan_spec.rb
@@ -3,7 +3,8 @@
 require 'spec_helper'

 describe Mutations::Pipelines::RunDastScan do
-  let(:project) { create(:project) }
+  let(:group) { create(:group) }
+  let(:project) { create(:project, group: group) }
  let(:user) { create(:user) }
  let(:project_path) { project.full_path }
  let(:target_url) { FFaker::Internet.uri(:https) }
@@ -41,22 +42,40 @@ describe Mutations::Pipelines::RunDastScan do
        end
      end

-      context 'when the user does not have permission to run a dast scan' do
+      context 'when the user is not associated with the project' do
        it 'raises an exception' do
          expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
        end
      end

-      context 'when the user can run a dast scan' do
-        before do
-          project.add_developer(user)
+      context 'when the user is an owner' do
+        it 'has no errors' do
+          group.add_owner(user)
+
+          expect(subject[:errors]).to be_empty
+        end
+      end
+
+      context 'when the user is a maintainer' do
+        it 'has no errors' do
+          project.add_maintainer(user)
+
+          expect(subject[:errors]).to be_empty
        end
+      end

+      context 'when the user is a developer' do
        it 'has no errors' do
+          project.add_developer(user)
+
          expect(subject[:errors]).to be_empty
        end
+      end

+      context 'when the user can run a dast scan' do
        it 'returns a pipeline_url containing the correct path' do
+          project.add_developer(user)
+
          actual_url = subject[:pipeline_url]
          pipeline = Ci::Pipeline.last
          expected_url = Rails.application.routes.url_helpers.project_pipeline_url(