Merge branch '299861-compliance-framework-permissions-change' into 'master'

Remove maintainer access to administer compliance frameworks See merge request gitlab-org/gitlab!53370

Merge branch '299861-compliance-framework-permissions-change' into 'master'
Remove maintainer access to administer compliance frameworks See merge request gitlab-org/gitlab!53370
d8c300c8 · Jarka Košanová · d018e2ad · 08355b76 · d8c300c8 · d8c300c8
Commit d8c300c8 authored Feb 11, 2021 by Jarka Košanová
9 changed files
--- a/doc/user/permissions.md
+++ b/doc/user/permissions.md
@@ -183,6 +183,7 @@ The following table depicts the various user permission levels in a project.
 | Delete pipelines                                  |         |            |             |          | ✓      |
 | Delete merge request                              |         |            |             |          | ✓      |
 | Disable notification emails                       |         |            |             |          | ✓      |
+| Administer project compliance frameworks          |         |            |             |          | ✓      |
 | Force push to protected branches (*4*)            |         |            |             |          |        |
 | Remove protected branches (*4*)                   |         |            |             |          |        |

@@ -293,6 +294,7 @@ group.
 | View Billing **(FREE SAAS)**                           |       |          |           |            | ✓ (4) |
 | View Usage Quotas **(FREE SAAS)**                      |       |          |           |            | ✓ (4) |
 | Filter members by 2FA status                           |       |          |           |            | ✓     |
+| Administer project compliance frameworks               |       |          |           |            | ✓     |

 1. Groups can be set to [allow either Owners or Owners and
  Maintainers to create subgroups](group/subgroups/index.md#creating-a-subgroup)

--- a/doc/user/project/settings/index.md
+++ b/doc/user/project/settings/index.md
@@ -46,17 +46,17 @@ Compliance framework labels do not affect your project settings.
 > - It's [deployed behind a feature flag](../../feature_flags.md), disabled by default.
 > - It's disabled on GitLab.com.
 > - It's not recommended for production use.
-> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-custom-compliance-frameworks). **(PREMIUM ONLY)**
+> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-custom-compliance-frameworks). **(PREMIUM)**

 WARNING:
 This feature might not be available to you. Check the **version history** note above for details.

-GitLab 13.8 introduces custom compliance frameworks at the group-level. A group owner can create a compliance framework label
+GitLab 13.9 introduces custom compliance frameworks at the group-level. A group owner can create a compliance framework label
 and assign it to any number of projects within that group or sub-groups. When this feature is enabled, projects can only
 be assigned compliance framework labels that already exist within that group.

-If existing [Compliance frameworks](#compliance-framework) are not sufficient, you can now create
-your own.
+If existing [Compliance frameworks](#compliance-framework) are not sufficient, project and group owners
+can now create their own.

 New compliance framework labels can be created and updated using GraphQL.

@@ -320,7 +320,7 @@ Add the URL of a Jaeger server to allow your users to [easily access the Jaeger
 [Add Storage credentials](../../../operations/incident_management/status_page.md#sync-incidents-to-the-status-page)
 to enable the syncing of public Issues to a [deployed status page](../../../operations/incident_management/status_page.md#create-a-status-page-project).

-### Enable or disable custom compliance frameworks **(PREMIUM ONLY)**
+### Enable or disable custom compliance frameworks **(PREMIUM)**

 Enabling or disabling custom compliance frameworks is under development and not ready for production use. It is
 deployed behind a feature flag that is **disabled by default**.

--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -401,7 +401,7 @@ module EE

      rule { requirements_available & owner }.enable :destroy_requirement

-      rule { compliance_framework_available & can?(:admin_project) }.enable :admin_compliance_framework
+      rule { compliance_framework_available & can?(:owner_access) }.enable :admin_compliance_framework

      rule { status_page_available & can?(:owner_access) }.enable :mark_issue_for_publication
      rule { status_page_available & can?(:developer_access) }.enable :publish_status_page

--- a/ee/app/views/compliance_management/compliance_framework/_project_settings.html.haml
+++ b/ee/app/views/compliance_management/compliance_framework/_project_settings.html.haml
- return unless current_user.can?(:admin_compliance_framework, @project)
-
+- user_has_edit_permissions = current_user.can?(:admin_compliance_framework, @project)
 .row
  .form-group.col-md-9.gl-mb-6
    - if Feature.enabled?(:ff_custom_compliance_frameworks)
      - frameworks = @project.namespace.root_ancestor.compliance_management_frameworks
-      = f.fields_for :compliance_framework_setting, ComplianceManagement::ComplianceFramework::ProjectSettings.new do |cf|
-        = cf.label :framework, _('Compliance framework (optional)'), class: 'gl-font-weight-bold'
-        - if frameworks.any?
-          %p.text-secondary= _('Select required regulatory standard')
-          - selected_default_framework = @project.compliance_framework_setting&.compliance_management_framework&.id
-          = cf.select :framework, options_for_select(frameworks.map { |fw| [fw.name, fw.id] }, selected_default_framework), { selected: '', disabled: '', prompt: _('Choose your framework'), include_blank: _('None') }, class: 'form-control'
-        - else
-          %p.text-secondary
-            = _("No compliance frameworks are in use. Create one using the GraphQL API.")
+      - if user_has_edit_permissions
+        = f.fields_for :compliance_framework_setting, ComplianceManagement::ComplianceFramework::ProjectSettings.new do |cf|
+          = cf.label :framework, class: 'gl-font-weight-bold' do
+            = _('Compliance framework  (optional)')
+          - if frameworks.any?
+            %p.text-secondary= _('Select required regulatory standard.')
+            - selected_default_framework = @project.compliance_framework_setting&.compliance_management_framework&.id
+            = cf.select :framework, options_for_select(frameworks.map { |fw| [fw.name.truncate(88), fw.id] }, selected_default_framework), { selected: '', prompt: _('Choose your framework'), include_blank: _('None') }, { class: 'form-control', disabled: false }
+          - else
+            %p.form-text.text-muted
+              = _("No compliance frameworks are in use. Create one using the GraphQL API.")
+      - else
+        = f.fields_for :compliance_framework_setting, ComplianceManagement::ComplianceFramework::ProjectSettings.new do |cf|
+          = cf.label :framework, class: 'gl-font-weight-bold' do
+            = _('Compliance framework')
+          - if frameworks.any?
+            - selected_framework = @project.compliance_framework_setting&.compliance_management_framework&.name&.truncate(88) || _('None')
+            = cf.text_field :framework, value: selected_framework, class: 'form-control read-only', disabled: true
+            %p.form-text.text-muted
+              = _("Customizable by owners.")
+          - else
+            %p.form-text.text-muted
+              = _("No compliance frameworks are in use.")
+
    - else
      = f.fields_for :compliance_framework_setting, ComplianceManagement::ComplianceFramework::ProjectSettings.new do |cf|
        = cf.label :framework, _('Compliance framework (optional)'), class: 'gl-font-weight-bold'
-        %p.text-secondary= _('Select required regulatory standard')
+        %p.text-secondary= _('Select required regulatory standard.')
        - selected_default_framework = @project.compliance_framework_setting&.compliance_management_framework&.default_framework_definition&.identifier
        = cf.select :framework, options_for_select(compliance_framework_options, selected_default_framework), { selected: '', disabled: '', prompt: _('Choose your framework'), include_blank: _('None') }, class: 'form-control'

--- a/ee/changelogs/unreleased/299861-compliance-framework-permissions-change.yml
+++ b/ee/changelogs/unreleased/299861-compliance-framework-permissions-change.yml
+---
+title: Disable ability for maintainers to change project compliance framework
+merge_request: 53370
+author:
+type: changed
--- a/ee/spec/controllers/projects_controller_spec.rb
+++ b/ee/spec/controllers/projects_controller_spec.rb
@@ -568,12 +568,9 @@ RSpec.describe ProjectsController do
          stub_licensed_features(compliance_framework: true)
        end

-        context 'current_user is a project maintainer' do
-          let_it_be(:maintainer) { create(:user) }
-
+        context 'current_user is a project owner' do
          before do
-            project.add_maintainer(maintainer)
-            sign_in(maintainer)
+            sign_in(project.owner)
          end

          it 'sets the compliance framework' do

--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -1545,7 +1545,7 @@ RSpec.describe ProjectPolicy do
      :developer  | false | nil   | false
      :developer  | true  | nil   | false
      :maintainer | false | nil   | false
-      :maintainer | true  | nil   | true
+      :maintainer | true  | nil   | false
      :owner      | false | nil   | false
      :owner      | true  | nil   | true
      :admin      | false | false | false

--- a/ee/spec/views/compliance_management/compliance_framework/_project_settings.html.haml_spec.rb
+++ b/ee/spec/views/compliance_management/compliance_framework/_project_settings.html.haml_spec.rb
@@ -27,6 +27,40 @@ RSpec.describe 'projects/edit.html.haml' do

        expect(rendered).to match /Custom framework 23/
      end
+
+      it 'does not include warning message' do
+        render
+
+        expect(rendered).not_to match /Customizable by owners./
+      end
+
+      it 'contains the dropdown' do
+        render
+
+        expect(rendered).to have_css('select[id=project_compliance_framework_setting_attributes_framework]')
+        expect(rendered).not_to have_css('select[id=project_compliance_framework_setting_attributes_framework][disabled="disabled"]')
+      end
+
+      context 'user is group maintainer' do
+        let_it_be(:maintainer) { create(:user) }
+
+        before do
+          group.add_maintainer(maintainer)
+          allow(view).to receive(:current_user).and_return(maintainer)
+        end
+
+        it 'includes warning message' do
+          render
+
+          expect(rendered).to match /Customizable by owners./
+        end
+
+        it 'disables the dropdown' do
+          render
+
+          expect(rendered).to have_css('input[id=project_compliance_framework_setting_attributes_framework][disabled="disabled"]')
+        end
+      end
    end

    context 'group has no compliance frameworks' do

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -7501,6 +7501,12 @@ msgstr ""
 msgid "Compliance Dashboard"
 msgstr ""

+msgid "Compliance framework"
+msgstr ""
+
+msgid "Compliance framework  (optional)"
+msgstr ""
+
 msgid "Compliance framework (optional)"
 msgstr ""

@@ -8835,6 +8841,9 @@ msgstr ""
 msgid "Customizable by an administrator."
 msgstr ""

+msgid "Customizable by owners."
+msgstr ""
+
 msgid "Customize colors"
 msgstr ""

@@ -19954,6 +19963,9 @@ msgstr ""
 msgid "No commits present here"
 msgstr ""

+msgid "No compliance frameworks are in use."
+msgstr ""
+
 msgid "No compliance frameworks are in use. Create one using the GraphQL API."
 msgstr ""

@@ -26372,7 +26384,7 @@ msgstr ""
 msgid "Select projects"
 msgstr ""

-msgid "Select required regulatory standard"
+msgid "Select required regulatory standard."
 msgstr ""

 msgid "Select reviewer(s)"