Merge branch 'vulnerability-api-improvement' into 'master'

Improve vulnerability API

See merge request gitlab-org/gitlab-ee!12760

ee/changelogs/unreleased/vulnerability-api-improvement.yml

+---
+title: Improve vulnerability API
+merge_request: 12760
+author: Robert Schilling
+type: other

ee/lib/api/vulnerabilities.rb

@@ -43,12 +43,10 @@ module API
       end
 
       get ':id/vulnerabilities' do
-        project = Project.find(params[:id])
-
-        not_found!('Project') unless project && can?(current_user, :read_project_security_dashboard, project)
+        authorize! :read_project_security_dashboard, user_project
 
         vulnerability_occurrences = Kaminari.paginate_array(
-          vulnerability_occurrences_by(declared_params.merge(project: project))
+          vulnerability_occurrences_by(declared_params.merge(project: user_project))
         )
 
         present paginate(vulnerability_occurrences),

ee/spec/requests/api/vulnerabilities_spec.rb

@@ -114,16 +114,18 @@ describe API::Vulnerabilities do
         stub_licensed_features(security_dashboard: false, sast: true, dependency_scanning: true, container_scanning: true)
       end
 
-      it 'responds with 404 Not Found' do
+      it 'responds with 403 Forbidden' do
         get api("/projects/#{project.id}/vulnerabilities", user)
 
-        expect(response).to have_gitlab_http_status(404)
+        expect(response).to have_gitlab_http_status(403)
       end
     end
 
-    context 'with unauthorized user' do
+    context 'with no project access' do
       it 'responds with 404 Not Found' do
-        get api("/projects/#{project.id}/vulnerabilities", user)
+        private_project = create(:project)
+
+        get api("/projects/#{private_project.id}/vulnerabilities", user)
 
         expect(response).to have_gitlab_http_status(404)
       end