Commit 6d128367 authored by syasonik's avatar syasonik

Use correct roles for each alert task

Updates roles for alert management tasks. Developers+
can read and update alerts. Maintainers+ can enable
alert management. Ensures the AlertManagementController
respects these roles.
parent 9955183f
......@@ -3,6 +3,7 @@
class Projects::AlertManagementController < Projects::ApplicationController
before_action :ensure_list_feature_enabled, only: :index
before_action :ensure_detail_feature_enabled, only: :details
before_action :authorize_read_alert_management_alert!
before_action do
push_frontend_feature_flag(:alert_list_status_filtering_enabled)
end
......
......@@ -31,7 +31,7 @@ module AlertManagement
end
def authorized?
Ability.allowed?(current_user, :read_alert_management_alerts, project)
Ability.allowed?(current_user, :read_alert_management_alert, project)
end
end
end
......@@ -18,7 +18,7 @@ module Mutations
null: true,
description: "The alert after mutation"
authorize :update_alert_management_alerts
authorize :update_alert_management_alert
private
......
......@@ -6,7 +6,7 @@ module Types
graphql_name 'AlertManagementAlert'
description "Describes an alert from the project's Alert Management"
authorize :read_alert_management_alerts
authorize :read_alert_management_alert
field :iid,
GraphQL::ID_TYPE,
......
......@@ -448,7 +448,7 @@ module ProjectsHelper
clusters: :read_cluster,
serverless: :read_cluster,
error_tracking: :read_sentry_issue,
alert_management: :read_alert_management,
alert_management: :read_alert_management_alert,
labels: :read_label,
issues: :read_issue,
project_members: :read_project_member,
......
......@@ -236,11 +236,8 @@ class ProjectPolicy < BasePolicy
enable :read_merge_request
enable :read_sentry_issue
enable :update_sentry_issue
enable :read_alert_management
enable :read_prometheus
enable :read_metrics_dashboard_annotation
enable :read_alert_management_alerts
enable :update_alert_management_alerts
enable :metrics_dashboard
end
......@@ -306,6 +303,8 @@ class ProjectPolicy < BasePolicy
enable :create_metrics_dashboard_annotation
enable :delete_metrics_dashboard_annotation
enable :update_metrics_dashboard_annotation
enable :read_alert_management_alert
enable :update_alert_management_alert
enable :create_design
enable :destroy_design
end
......
......@@ -4,7 +4,7 @@ require 'spec_helper'
describe Projects::AlertManagementController do
let_it_be(:project) { create(:project) }
let_it_be(:role) { :reporter }
let_it_be(:role) { :developer }
let_it_be(:user) { create(:user) }
let_it_be(:id) { 1 }
......@@ -24,6 +24,16 @@ describe Projects::AlertManagementController do
expect(response).to have_gitlab_http_status(:ok)
end
context 'when user is unauthorized' do
let(:role) { :reporter }
it 'shows 404' do
get :index, params: { namespace_id: project.namespace, project_id: project }
expect(response).to have_gitlab_http_status(:not_found)
end
end
end
context 'when alert_management_minimal is disabled' do
......@@ -50,6 +60,16 @@ describe Projects::AlertManagementController do
expect(response).to have_gitlab_http_status(:ok)
end
context 'when user is unauthorized' do
let(:role) { :reporter }
it 'shows 404' do
get :index, params: { namespace_id: project.namespace, project_id: project }
expect(response).to have_gitlab_http_status(:not_found)
end
end
end
context 'when alert_management_detail is disabled' do
......
......@@ -9,7 +9,7 @@ describe Mutations::AlertManagement::UpdateAlertStatus do
let(:new_status) { 'acknowledged' }
let(:args) { { status: new_status, project_path: project.full_path, iid: alert.iid } }
specify { expect(described_class).to require_graphql_authorizations(:update_alert_management_alerts) }
specify { expect(described_class).to require_graphql_authorizations(:update_alert_management_alert) }
describe '#resolve' do
subject(:resolve) { mutation_for(project, current_user).resolve(args) }
......
......@@ -5,7 +5,7 @@ require 'spec_helper'
describe GitlabSchema.types['AlertManagementAlert'] do
specify { expect(described_class.graphql_name).to eq('AlertManagementAlert') }
specify { expect(described_class).to require_graphql_authorizations(:read_alert_management_alerts) }
specify { expect(described_class).to require_graphql_authorizations(:read_alert_management_alert) }
it 'exposes the expected fields' do
expected_fields = %i[
......
......@@ -10,16 +10,16 @@ describe AlertManagement::AlertPolicy, :models do
subject(:policy) { described_class.new(user, alert) }
describe 'rules' do
it { is_expected.to be_disallowed :read_alert_management_alerts }
it { is_expected.to be_disallowed :update_alert_management_alerts }
it { is_expected.to be_disallowed :read_alert_management_alert }
it { is_expected.to be_disallowed :update_alert_management_alert }
context 'when developer' do
before do
project.add_developer(user)
end
it { is_expected.to be_allowed :read_alert_management_alerts }
it { is_expected.to be_allowed :update_alert_management_alerts }
it { is_expected.to be_allowed :read_alert_management_alert }
it { is_expected.to be_allowed :update_alert_management_alert }
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment