Add new ondemand scan ability to project policy

b8366bd3 · Philip Cunningham · cebdd221 · b8366bd3 · b8366bd3 · b8366bd3
Commit b8366bd3 authored Jun 15, 2020 by Philip Cunningham
3 changed files
--- a/ee/app/graphql/mutations/pipelines/run_dast_scan.rb
+++ b/ee/app/graphql/mutations/pipelines/run_dast_scan.rb
@@ -27,7 +27,7 @@ module Mutations
               required: true,
               description: 'The type of scan to be run.'
-      authorize :create_pipeline
+      authorize :run_ondemand_dast_scan
      def resolve(project_path:, target_url:, branch:, scan_type:)
        project = authorized_find!(full_path: project_path)

--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -229,6 +229,7 @@ module EE
        enable :admin_feature_flag
        enable :admin_feature_flags_user_lists
        enable :read_ci_minutes_quota
+        enable :run_ondemand_dast_scan
      end
      rule { can?(:developer_access) & iterations_available }.policy do

--- a/ee/spec/graphql/mutations/pipelines/run_dast_scan_spec.rb
+++ b/ee/spec/graphql/mutations/pipelines/run_dast_scan_spec.rb
@@ -3,7 +3,8 @@
 require 'spec_helper'
 describe Mutations::Pipelines::RunDastScan do
-  let(:project) { create(:project) }
+  let(:group) { create(:group) }
+  let(:project) { create(:project, group: group) }
  let(:user) { create(:user) }
  let(:project_path) { project.full_path }
  let(:target_url) { FFaker::Internet.uri(:https) }
@@ -41,22 +42,40 @@ describe Mutations::Pipelines::RunDastScan do
        end
      end
-      context 'when the user does not have permission to run a dast scan' do
+      context 'when the user is not associated with the project' do
        it 'raises an exception' do
          expect { subject }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable)
        end
      end
-      context 'when the user can run a dast scan' do
+      context 'when the user is an owner' do
-        before do
+        it 'has no errors' do
-          project.add_developer(user)
+          group.add_owner(user)
+          expect(subject[:errors]).to be_empty
+        end
      end
+      context 'when the user is a maintainer' do
        it 'has no errors' do
+          project.add_maintainer(user)
          expect(subject[:errors]).to be_empty
        end
+      end
+      context 'when the user is a developer' do
+        it 'has no errors' do
+          project.add_developer(user)
+          expect(subject[:errors]).to be_empty
+        end
+      end
+      context 'when the user can run a dast scan' do
        it 'returns a pipeline_url containing the correct path' do
+          project.add_developer(user)
          actual_url = subject[:pipeline_url]
          pipeline = Ci::Pipeline.last
          expected_url = Rails.application.routes.url_helpers.project_pipeline_url(