Merge branch...

Merge branch '9466-auditor-users-should-be-able-to-see-the-group-and-project-security-dashboards' into 'master' Allow auditors to see the group and project security dashboards Closes #9466 See merge request gitlab-org/gitlab-ee!14695

Merge branch...
Merge branch '9466-auditor-users-should-be-able-to-see-the-group-and-project-security-dashboards' into 'master' Allow auditors to see the group and project security dashboards Closes #9466 See merge request gitlab-org/gitlab-ee!14695
c693e9a6 · Sean McGivern · 5ad8616a · ccefc4f1 · c693e9a6 · c693e9a6
Commit c693e9a6 authored Jul 22, 2019 by Sean McGivern
5 changed files
--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -74,7 +74,10 @@ module EE
        prevent :destroy_epic
      end

-      rule { auditor }.enable :read_group
+      rule { auditor }.policy do
+        enable :read_group
+        enable :read_group_security_dashboard
+      end

      rule { admin | owner }.enable :admin_group_saml


--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -188,6 +188,7 @@ module EE
        enable :read_environment
        enable :read_deployment
        enable :read_pages
+        enable :read_project_security_dashboard
      end

      rule { auditor & ~guest }.policy do

--- a/ee/changelogs/unreleased/9466-auditor-users-should-be-able-to-see-the-group-and-project-security-dashboards.yml
+++ b/ee/changelogs/unreleased/9466-auditor-users-should-be-able-to-see-the-group-and-project-security-dashboards.yml
+---
+title: Allow auditors to see the group and project security dashboards
+merge_request: 14695
+author:
+type: added
--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -368,8 +368,13 @@ describe GroupPolicy do
    context 'auditor' do
      let(:current_user) { create(:user, :auditor) }

+      before do
+        stub_licensed_features(security_dashboard: true)
+      end
+
      it do
        expect_allowed(:read_group)
+        expect_allowed(:read_group_security_dashboard)
        expect_disallowed(:upload_file)
        expect_disallowed(*reporter_permissions)
        expect_disallowed(*developer_permissions)

--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -39,6 +39,7 @@ describe ProjectPolicy do
        read_pipeline read_build read_commit_status read_container_image
        read_environment read_deployment read_merge_request read_pages
        create_merge_request_in award_emoji
+        read_project_security_dashboard
        read_vulnerability_feedback read_software_license_policy
      ]
    end
@@ -54,6 +55,10 @@ describe ProjectPolicy do
    context 'auditor' do
      let(:current_user) { create(:user, :auditor) }

+      before do
+        stub_licensed_features(security_dashboard: true, license_management: true)
+      end
+
      context 'who is not a team member' do
        it do
          is_expected.to be_disallowed(*developer_permissions)