Merge branch 'update-authorization-for-dl-page' into 'master'

Add permissions to see Dependency List page

See merge request gitlab-org/gitlab-ee!15771

ee/app/controllers/projects/dependencies_controller.rb

@@ -2,14 +2,14 @@
 
 module Projects
   class DependenciesController < Projects::ApplicationController
-    before_action :check_feature_enabled!
+    before_action :authorize_read_dependency_list!
 
     before_action do
       push_frontend_feature_flag(:dependency_list_vulnerabilities, default_enabled: true)
     end
 
-    def check_feature_enabled!
-      render_404 unless project.feature_available?(:dependency_list)
+    def authorize_read_dependency_list!
+      render_404 unless can?(current_user, :read_dependencies, project)
     end
   end
 end

ee/changelogs/unreleased/update-authorization-for-dl-page.yml

+---
+title: Update permissions on Dependency List page
+merge_request: 15771
+author:
+type: fixed

ee/spec/controllers/projects/dependencies_controller_spec.rb

@@ -3,7 +3,7 @@
 require 'spec_helper'
 
 describe Projects::DependenciesController do
-  set(:project) { create(:project, :repository, :private) }
+  set(:project) { create(:project, :repository, :public, :repository_private) }
   set(:user) { create(:user) }
 
   subject { get :show, params: { namespace_id: project.namespace, project_id: project } }
@@ -11,7 +11,7 @@ describe Projects::DependenciesController do
   describe 'GET show' do
     context 'with authorized user' do
       before do
-        project.add_developer(user)
+        project.add_reporter(user)
         sign_in(user)
       end
 
@@ -55,7 +55,9 @@ describe Projects::DependenciesController do
       end
     end
 
-    context 'with anonymous user' do
+    context 'with anonymous user and private project' do
+      let(:project) { create(:project, :repository, :private) }
+
       it 'returns 302' do
         subject