Merge branch '300994-auditor-user-can-bulk-select' into 'master'

Do not display bulk selection when user is auditor See merge request gitlab-org/gitlab!62685

Merge branch '300994-auditor-user-can-bulk-select' into 'master'
Do not display bulk selection when user is auditor See merge request gitlab-org/gitlab!62685
9f8db2e4 · Vitali Tatarintev · a61676b6 · bd27eb02 · 9f8db2e4 · 9f8db2e4
Commit 9f8db2e4 authored Jun 07, 2021 by Vitali Tatarintev
9 changed files
--- a/ee/app/assets/javascripts/security_dashboard/components/vulnerability_list.vue
+++ b/ee/app/assets/javascripts/security_dashboard/components/vulnerability_list.vue
@@ -51,6 +51,9 @@ export default {
    hasJiraVulnerabilitiesIntegrationEnabled: {
      default: false,
    },
+    canAdminVulnerability: {
+      default: false,
+    },
    dashboardType: {},
  },

@@ -60,11 +63,6 @@ export default {
      required: false,
      default: () => ({}),
    },
-    shouldShowSelection: {
-      type: Boolean,
-      required: false,
-      default: true,
-    },
    vulnerabilities: {
      type: Array,
      required: true,
@@ -109,7 +107,7 @@ export default {
      return Object.keys(this.selectedVulnerabilities).length;
    },
    shouldShowSelectionSummary() {
-      return this.shouldShowSelection && this.numOfSelectedVulnerabilities > 0;
+      return this.canAdminVulnerability && this.numOfSelectedVulnerabilities > 0;
    },
    theadClass() {
      return this.shouldShowSelectionSummary ? 'below-selection-summary' : '';
@@ -119,7 +117,7 @@ export default {
        {
          key: 'checkbox',
          class: 'checkbox',
-          skip: !this.shouldShowSelection,
+          skip: !this.canAdminVulnerability,
        },
        {
          key: 'detected',

--- a/ee/app/assets/javascripts/security_dashboard/pipeline_init.js
+++ b/ee/app/assets/javascripts/security_dashboard/pipeline_init.js
 import Vue from 'vue';
+import { parseBoolean } from '~/lib/utils/common_utils';
 import PipelineSecurityDashboard from './components/pipeline_security_dashboard.vue';
 import apolloProvider from './graphql/provider';
 import createDashboardStore from './store';
@@ -24,6 +25,7 @@ export default () => {
    emptyStateForbiddenSvgPath,
    projectFullPath,
    pipelineJobsPath,
+    canAdminVulnerability,
  } = el.dataset;

  const loadingErrorIllustrations = {
@@ -42,6 +44,7 @@ export default () => {
      projectFullPath,
      dashboardDocumentation,
      emptyStateSvgPath,
+      canAdminVulnerability: parseBoolean(canAdminVulnerability),
      pipeline: {
        id: parseInt(pipelineId, 10),
        iid: parseInt(pipelineIid, 10),

--- a/ee/app/assets/javascripts/security_dashboard/vulnerability_report_init.js
+++ b/ee/app/assets/javascripts/security_dashboard/vulnerability_report_init.js
@@ -36,6 +36,7 @@ export default (el, dashboardType) => {
    hasJiraVulnerabilitiesIntegrationEnabled,
    securityConfigurationPath,
    surveyRequestSvgPath,
+    canAdminVulnerability,
  } = el.dataset;

  if (isUnavailable) {
@@ -68,6 +69,7 @@ export default (el, dashboardType) => {
    projectFullPath,
    autoFixDocumentation,
    autoFixMrsPath,
+    canAdminVulnerability: parseBoolean(canAdminVulnerability),
    hasVulnerabilities: parseBoolean(hasVulnerabilities),
    scanners: scanners ? JSON.parse(scanners) : [],
    hasJiraVulnerabilitiesIntegrationEnabled: parseBoolean(

--- a/ee/app/helpers/ee/projects_helper.rb
+++ b/ee/app/helpers/ee/projects_helper.rb
@@ -191,7 +191,8 @@ module EE
          security_dashboard_help_path: help_page_path('user/application_security/security_dashboard/index'),
          auto_fix_documentation: help_page_path('user/application_security/index', anchor: 'auto-fix-merge-requests'),
          auto_fix_mrs_path: project_merge_requests_path(@project, label_name: 'GitLab-auto-fix'),
-          scanners: VulnerabilityScanners::ListService.new(project).execute.to_json
+          scanners: VulnerabilityScanners::ListService.new(project).execute.to_json,
+          can_admin_vulnerability: can?(current_user, :admin_vulnerability, project).to_s
        }.merge!(security_dashboard_pipeline_data(project))
      end
    end

--- a/ee/app/views/projects/pipelines/_tabs_content.html.haml
+++ b/ee/app/views/projects/pipelines/_tabs_content.html.haml
@@ -20,7 +20,8 @@
    vulnerability_exports_endpoint: vulnerability_exports_endpoint_path,
    empty_state_unauthorized_svg_path: image_path('illustrations/user-not-logged-in.svg'),
    empty_state_forbidden_svg_path: image_path('illustrations/lock_promotion.svg'),
-    project_full_path: project.path_with_namespace } }
+    project_full_path: project.path_with_namespace,
+    can_admin_vulnerability: can?(current_user, :admin_vulnerability, project).to_s } }

 - if pipeline.expose_license_scanning_data?
  #js-tab-licenses.tab-pane

--- a/ee/spec/frontend/security_dashboard/components/group/group_vulnerabilities_spec.js
+++ b/ee/spec/frontend/security_dashboard/components/group/group_vulnerabilities_spec.js
@@ -114,7 +114,6 @@ describe('Group Security Dashboard Vulnerabilities Component', () => {
      expect(findVulnerabilities().props()).toEqual({
        filters: {},
        isLoading: false,
-        shouldShowSelection: true,
        shouldShowProjectNamespace: true,
        vulnerabilities,
      });

--- a/ee/spec/frontend/security_dashboard/components/instance/instance_vulnerabilities_spec.js
+++ b/ee/spec/frontend/security_dashboard/components/instance/instance_vulnerabilities_spec.js
@@ -95,7 +95,6 @@ describe('Instance Security Dashboard Vulnerabilities Component', () => {
      expect(findVulnerabilities().props()).toEqual({
        filters: {},
        isLoading: false,
-        shouldShowSelection: true,
        shouldShowProjectNamespace: true,
        vulnerabilities,
      });

--- a/ee/spec/frontend/security_dashboard/components/vulnerability_list_spec.js
+++ b/ee/spec/frontend/security_dashboard/components/vulnerability_list_spec.js
@@ -35,6 +35,7 @@ describe('Vulnerability list component', () => {
        noPipelineRunScannersHelpPath: '#',
        hasVulnerabilities: true,
        hasJiraVulnerabilitiesIntegrationEnabled: false,
+        canAdminVulnerability: true,
        ...provide,
      }),
    });
@@ -201,14 +202,17 @@ describe('Vulnerability list component', () => {
    );
  });

-  describe('when vulnerability selection is disabled', () => {
+  describe('when user has no permission to admin vulnerabilities', () => {
    beforeEach(() => {
      wrapper = createWrapper({
-        props: { vulnerabilities, shouldShowSelection: false },
+        props: { vulnerabilities },
+        provide: {
+          canAdminVulnerability: false,
+        },
      });
    });

-    it('should not show the checkboxes if shouldShowSelection is passed in', () => {
+    it('should not show the checkboxes', () => {
      expect(findDataCell('vulnerability-checkbox-all').exists()).toBe(false);
      expect(findDataCell('vulnerability-checkbox').exists()).toBe(false);
    });

--- a/ee/spec/helpers/projects_helper_spec.rb
+++ b/ee/spec/helpers/projects_helper_spec.rb
@@ -127,6 +127,7 @@ RSpec.describe ProjectsHelper do
      group.add_owner(user)
      stub_licensed_features(jira_vulnerabilities_integration: true)
      allow(helper).to receive(:current_user).and_return(user)
+      allow(helper).to receive(:can?).and_return(true)
    end

    context 'project without vulnerabilities' do
@@ -163,7 +164,8 @@ RSpec.describe ProjectsHelper do
          no_pipeline_run_scanners_help_path: "/#{project.full_path}/-/pipelines/new",
          auto_fix_documentation: help_page_path('user/application_security/index', anchor: 'auto-fix-merge-requests'),
          auto_fix_mrs_path: end_with('/merge_requests?label_name=GitLab-auto-fix'),
-          scanners: '[{"id":123,"vendor":"Security Vendor","report_type":"SAST"}]'
+          scanners: '[{"id":123,"vendor":"Security Vendor","report_type":"SAST"}]',
+          can_admin_vulnerability: 'true'
        }
      end