Commit 6172b14a authored by Max Woolf's avatar Max Woolf

Merge branch '351602-auditor-group-level-events' into 'master'

Ensures audit events are visible to auditor at Group level

See merge request gitlab-org/gitlab!81267
parents 458ec608 662a01dc
......@@ -44,6 +44,8 @@ class Groups::AuditEventsController < Groups::ApplicationController
end
def filter_by_author(params)
can?(current_user, :admin_group, group) ? params : params.merge(author_id: current_user.id)
return params if can?(current_user, :admin_group, group) || current_user.auditor?
params.merge(author_id: current_user.id)
end
end
......@@ -270,6 +270,7 @@ module EE
rule { auditor }.policy do
enable :read_group
enable :read_group_security_dashboard
enable :read_group_audit_events
end
rule { group_saml_config_enabled & group_saml_available & (admin | owner) }.enable :admin_group_saml
......
......@@ -7,6 +7,7 @@ RSpec.describe Groups::AuditEventsController do
let_it_be(:user) { create(:user) }
let_it_be(:owner) { create(:user) }
let_it_be(:auditor) { create(:user, auditor: true) }
let_it_be(:group) { create(:group, :private) }
let_it_be(:events) { create_list(:group_audit_event, 5, entity_id: group.id) }
......@@ -15,18 +16,7 @@ RSpec.describe Groups::AuditEventsController do
let(:entity_type) { nil }
let(:entity_id) { nil }
context 'authorized' do
before do
group.add_owner(owner)
sign_in(owner)
end
context do
let(:request) do
get :index, params: { group_id: group.to_param, sort: sort, entity_type: entity_type, entity_id: entity_id }
end
context 'when audit_events feature is available' do
shared_context 'when audit_events feature is available' do
let(:level) { Gitlab::Audit::Levels::Group.new(group: group) }
let(:audit_logs_params) { ActionController::Parameters.new(sort: '', entity_type: '', entity_id: '', created_after: Date.current.beginning_of_month, created_before: Date.current.end_of_day).permit! }
......@@ -137,7 +127,7 @@ RSpec.describe Groups::AuditEventsController do
expect_snowplow_event(
category: 'Groups::AuditEventsController',
action: 'search_audit_event',
user: owner,
user: client,
namespace: group
)
end
......@@ -161,6 +151,42 @@ RSpec.describe Groups::AuditEventsController do
end
end
end
context 'when authorized owner' do
before do
group.add_owner(owner)
sign_in(owner)
end
let(:client) { owner }
context do
let(:request) do
get :index, params: { group_id: group.to_param, sort: sort, entity_type: entity_type, entity_id: entity_id }
end
it_behaves_like 'when audit_events feature is available'
end
it_behaves_like 'tracking unique visits', :index do
let(:request_params) { { group_id: group.to_param, sort: sort, entity_type: entity_type, entity_id: entity_id } }
let(:target_id) { 'g_compliance_audit_events' }
end
end
context 'when authorized auditor' do
before do
sign_in(auditor)
end
let(:client) { auditor }
context do
let(:request) do
get :index, params: { group_id: group.to_param, sort: sort, entity_type: entity_type, entity_id: entity_id }
end
it_behaves_like 'when audit_events feature is available'
end
it_behaves_like 'tracking unique visits', :index do
......
......@@ -610,6 +610,7 @@ RSpec.describe GroupPolicy do
it { is_expected.to be_allowed(:read_group) }
it { is_expected.to be_allowed(:read_milestone) }
it { is_expected.to be_allowed(:read_group_audit_events) }
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment