Use InstanceSecurityDashboard as exportable instead of User

This might sound better because even the feature name is instance level vulnerability exports so we are using here an instance of InstanceSecurityDashboard as exportable instead of the author object.

Use InstanceSecurityDashboard as exportable instead of User
This might sound better because even the feature name is instance level vulnerability exports so we are using here an instance of InstanceSecurityDashboard as exportable instead of the author object.
79b829d3 · Mehmet Emin INAC · 051f0c95 · 79b829d3 · 79b829d3 · 79b829d3
Commit 79b829d3 authored Apr 27, 2020 by Mehmet Emin INAC
9 changed files
--- a/ee/app/models/ee/user.rb
+++ b/ee/app/models/ee/user.rb
@@ -349,8 +349,8 @@ module EE
      gitlab_employee? ? 'GitLab' : super
    end

-    def vulnerabilities
-      InstanceSecurityDashboard.new(self).vulnerabilities
+    def security_dashboard
+      InstanceSecurityDashboard.new(self)
    end

    protected

--- a/ee/app/models/instance_security_dashboard.rb
+++ b/ee/app/models/instance_security_dashboard.rb
@@ -3,6 +3,8 @@
 class InstanceSecurityDashboard
  extend ActiveModel::Naming

+  delegate :full_path, to: :user
+
  def initialize(user, project_ids: [])
    @project_ids = project_ids
    @user = user

--- a/ee/app/models/vulnerabilities/export.rb
+++ b/ee/app/models/vulnerabilities/export.rb
@@ -48,16 +48,15 @@ module Vulnerabilities
    end

    def exportable
-      project || author
+      project || author.security_dashboard
    end

    def exportable=(value)
      case value
      when Project
        self.project = value
-      when User
+      when InstanceSecurityDashboard
        self.project = nil
-        self.author = value
      else
        raise "Can not assign #{value.class} as exportable"
      end

--- a/ee/app/policies/ee/user_policy.rb
+++ b/ee/app/policies/ee/user_policy.rb
@@ -16,9 +16,6 @@ module EE
        updating_name_disabled_for_users &
        ~admin
      end.prevent :update_name
-
-      # TODO: Check this before removing WIP from MR
-      rule { user_is_self }.enable :create_vulnerability_export
    end
  end
 end
--- a/ee/app/policies/instance_security_dashboard_policy.rb
+++ b/ee/app/policies/instance_security_dashboard_policy.rb
 # frozen_string_literal: true

 class InstanceSecurityDashboardPolicy < BasePolicy
-  rule { ~anonymous }.enable :read_instance_security_dashboard
+  rule { ~anonymous }.policy do
+    enable :read_instance_security_dashboard
+    enable :create_vulnerability_export
+  end
 end
--- a/ee/spec/models/instance_security_dashboard_spec.rb
+++ b/ee/spec/models/instance_security_dashboard_spec.rb
@@ -115,4 +115,12 @@ describe InstanceSecurityDashboard do
      end
    end
  end
+
+  describe '#full_path' do
+    let(:user) { create(:user) }
+
+    it 'returns the full_path of the user' do
+      expect(subject.full_path).to eql(user.full_path)
+    end
+  end
 end
--- a/ee/spec/models/user_spec.rb
+++ b/ee/spec/models/user_spec.rb
@@ -1144,20 +1144,13 @@ describe User do
    end
  end

-  describe '#vulnerabilities' do
+  describe '#security_dashboard' do
    let(:user) { create(:user) }
-    let(:vulnerability_collection) { instance_double(ActiveRecord::Relation) }
-    let(:mock_security_dashboard) { instance_double(InstanceSecurityDashboard, vulnerabilities: vulnerability_collection) }

-    subject(:vulnerabilities) { user.vulnerabilities }
+    subject(:security_dashboard) { user.security_dashboard }

-    before do
-      allow(InstanceSecurityDashboard).to receive(:new).and_return(mock_security_dashboard)
-    end
-
-    it 'delegates the call to an instance of `InstanceSecurityDashboard`' do
-      expect(vulnerabilities).to eql(vulnerability_collection)
-      expect(InstanceSecurityDashboard).to have_received(:new).with(user)
+    it 'returns an instance of InstanceSecurityDashboard for the user' do
+      expect(security_dashboard).to be_a(InstanceSecurityDashboard)
    end
  end
 end
--- a/ee/spec/models/vulnerabilities/export_spec.rb
+++ b/ee/spec/models/vulnerabilities/export_spec.rb
@@ -80,8 +80,13 @@ describe Vulnerabilities::Export do
    context 'when the export does not have project assigned' do
      let(:author) { build(:user) }
      let(:vulnerability_export) { build(:vulnerability_export, :user, author: author) }
+      let(:mock_security_dashboard) { instance_double(InstanceSecurityDashboard) }

-      it { is_expected.to eql(author) }
+      before do
+        allow(author).to receive(:security_dashboard).and_return(mock_security_dashboard)
+      end
+
+      it { is_expected.to eql(mock_security_dashboard) }
    end
  end

@@ -98,10 +103,14 @@ describe Vulnerabilities::Export do
      end
    end

-    context 'when the exportable is a User' do
-      let(:exportable) { build(:user) }
+    context 'when the exportable is an InstanceSecurityDashboard' do
+      let(:exportable) { InstanceSecurityDashboard.new(vulnerability_export.author) }
+
+      before do
+        allow(vulnerability_export.author).to receive(:security_dashboard).and_return(exportable)
+      end

-      it 'changes the exportable of the export to given user' do
+      it 'changes the exportable of the export to security dashboard of the author' do
        expect { set_exportable }.to change { vulnerability_export.exportable }.to(exportable)
      end
    end

--- a/ee/spec/policies/instance_security_dashboard_policy_spec.rb
+++ b/ee/spec/policies/instance_security_dashboard_policy_spec.rb
@@ -23,4 +23,16 @@ describe InstanceSecurityDashboardPolicy do
      it { is_expected.to be_allowed(:read_instance_security_dashboard) }
    end
  end
+
+  describe 'create_vulnerability_export' do
+    context 'when the user is not logged in' do
+      let(:current_user) { nil }
+
+      it { is_expected.not_to be_allowed(:create_vulnerability_export) }
+    end
+
+    context 'when the user is logged in' do
+      it { is_expected.to be_allowed(:create_vulnerability_export) }
+    end
+  end
 end