Security fix project authorizations for security dashboard

59740023 · Mehmet Emin INAC · GitLab Release Tools Bot · b65821c5 · 59740023 · 59740023
Commit 59740023 authored Jun 29, 2020 by Mehmet Emin INAC Committed by GitLab Release Tools Bot Jun 29, 2020
4 changed files
--- a/ee/app/models/instance_security_dashboard.rb
+++ b/ee/app/models/instance_security_dashboard.rb
@@ -58,5 +58,10 @@ class InstanceSecurityDashboard
      .where(users_security_dashboard_projects: { user_id: user.id })
      .where(project_authorizations: { user_id: user.id })
      .where('users_security_dashboard_projects.project_id = project_authorizations.project_id')
+      .where(access_level: authorized_access_levels)
+  end
+
+  def authorized_access_levels
+    Gitlab::Access.vulnerability_access_levels.values
  end
 end
--- a/ee/changelogs/unreleased/security-fix_project_authorizations_for_security_dashboard.yml
+++ b/ee/changelogs/unreleased/security-fix_project_authorizations_for_security_dashboard.yml
+---
+title: Fix project authorizations for instance security dashboard
+merge_request:
+author:
+type: security
--- a/ee/lib/ee/gitlab/access.rb
+++ b/ee/lib/ee/gitlab/access.rb
@@ -10,6 +10,12 @@ module EE
    module Access
      extend ActiveSupport::Concern
      ADMIN = 60
+
+      class_methods do
+        def vulnerability_access_levels
+          @vulnerability_access_levels ||= options_with_owner.except('Guest')
+        end
+      end
    end
  end
 end
--- a/ee/spec/models/instance_security_dashboard_spec.rb
+++ b/ee/spec/models/instance_security_dashboard_spec.rb
@@ -5,14 +5,17 @@ require 'spec_helper'
 RSpec.describe InstanceSecurityDashboard do
  let_it_be(:project1) { create(:project) }
  let_it_be(:project2) { create(:project) }
+  let_it_be(:project3) { create(:project) }
  let_it_be(:pipeline1) { create(:ci_pipeline, project: project1) }
  let_it_be(:pipeline2) { create(:ci_pipeline, project: project2) }
+  let_it_be(:pipeline3) { create(:ci_pipeline, project: project3) }
  let(:project_ids) { [project1.id] }
  let(:user) { create(:user) }

  before do
    project1.add_developer(user)
-    user.security_dashboard_projects << [project1, project2]
+    project3.add_guest(user)
+    user.security_dashboard_projects << [project1, project2, project3]
  end

  subject { described_class.new(user, project_ids: project_ids) }
@@ -92,7 +95,7 @@ RSpec.describe InstanceSecurityDashboard do
      let(:user) { create(:auditor) }

      it "returns all projects on the user's dashboard" do
-        expect(subject.projects).to contain_exactly(project1, project2)
+        expect(subject.projects).to contain_exactly(project1, project2, project3)
      end
    end
  end