Commit e236140b authored by Douglas Barbosa Alexandre's avatar Douglas Barbosa Alexandre

Merge branch '13247-vulnerabilities-permissions' into 'master'

Permissions for vulnerabilities

See merge request gitlab-org/gitlab!21265
parents 381216c2 cc7bcf73
......@@ -20,7 +20,7 @@ module Projects
def can_access_vulnerable?
return true unless query_params[:filter] == 'vulnerable'
can?(current_user, :read_project_security_dashboard, project)
can?(current_user, :read_vulnerability, project)
end
def can_collect_dependencies?
......
......@@ -25,8 +25,8 @@ module EE
::Gitlab::CurrentSettings.lock_memberships_to_ldap?
end
condition(:security_dashboard_feature_disabled) do
!@subject.feature_available?(:security_dashboard)
condition(:security_dashboard_enabled) do
@subject.feature_available?(:security_dashboard)
end
condition(:needs_new_sso_session) do
......@@ -129,13 +129,10 @@ module EE
end
rule { developer }.policy do
enable :read_group_security_dashboard
enable :admin_merge_request
end
rule { security_dashboard_feature_disabled }.policy do
prevent :read_group_security_dashboard
end
rule { security_dashboard_enabled & developer }.enable :read_group_security_dashboard
rule { needs_new_sso_session }.policy do
prevent :read_group
......
......@@ -62,8 +62,8 @@ module EE
end
with_scope :subject
condition(:security_dashboard_feature_disabled) do
!@subject.feature_available?(:security_dashboard)
condition(:security_dashboard_enabled) do
@subject.feature_available?(:security_dashboard)
end
condition(:prometheus_alerts_enabled) do
......@@ -157,25 +157,19 @@ module EE
rule { can?(:public_access) }.enable :read_package
rule { can?(:read_project) & can?(:read_build) }.enable :read_security_findings
rule { can?(:read_build) & can?(:download_code) }.enable :read_security_findings
rule { can?(:developer_access) }.policy do
enable :read_project_security_dashboard
end
rule { security_dashboard_feature_disabled }.policy do
prevent :read_project_security_dashboard
end
rule { security_dashboard_enabled & can?(:developer_access) }.enable :read_vulnerability
rule { can?(:read_project_security_dashboard) & can?(:developer_access) }.policy do
enable :read_vulnerability
rule { can?(:read_vulnerability) }.policy do
enable :read_project_security_dashboard
enable :create_vulnerability
enable :admin_vulnerability
end
rule { threat_monitoring_enabled & (auditor | can?(:developer_access)) }.enable :read_threat_monitoring
rule { can?(:read_project) & (can?(:read_merge_request) | can?(:read_build)) }.enable :read_vulnerability_feedback
rule { can?(:read_security_findings) }.enable :read_vulnerability_feedback
rule { dependency_scanning_enabled & can?(:download_code) }.enable :read_dependencies
......@@ -216,13 +210,17 @@ module EE
enable :read_environment
enable :read_deployment
enable :read_pages
enable :read_project_security_dashboard
end
rule { auditor & can?(:read_project_security_dashboard) }.policy do
rule { auditor & security_dashboard_enabled }.policy do
enable :read_vulnerability
end
rule { auditor & ~developer }.policy do
prevent :create_vulnerability
prevent :admin_vulnerability
end
rule { auditor & ~guest }.policy do
prevent :create_project
prevent :create_issue
......
......@@ -23,7 +23,7 @@ class DependencyEntity < Grape::Entity
private
def can_read_vulnerabilities?
can?(request.user, :read_project_security_dashboard, request.project)
can?(request.user, :read_vulnerability, request.project)
end
def can_read_licenses?
......
......@@ -38,7 +38,7 @@ module API
end
get ':id' do
vulnerability = Vulnerability.find(params[:id])
authorize_vulnerability!(vulnerability, :read_project_security_dashboard)
authorize_vulnerability!(vulnerability, :read_vulnerability)
render_vulnerability(vulnerability)
end
......
......@@ -53,7 +53,7 @@ module API
success ::Vulnerabilities::OccurrenceEntity
end
get ':id/vulnerability_findings' do
authorize! :read_project_security_dashboard, user_project
authorize! :read_vulnerability, user_project
vulnerability_occurrences = paginate(
Kaminari.paginate_array(
......
......@@ -882,7 +882,7 @@ module EE
private
def can_read_vulnerabilities?(user, project)
Ability.allowed?(user, :read_project_security_dashboard, project)
Ability.allowed?(user, :read_vulnerability, project)
end
end
......
......@@ -334,32 +334,10 @@ describe ProjectPolicy do
let(:current_user) { admin }
let(:project) { create(:project, :private, namespace: owner.namespace) }
context 'with admin' do
let(:current_user) { admin }
it { is_expected.to be_allowed(:read_vulnerability_feedback) }
end
where(role: %w[admin owner maintainer developer reporter])
context 'with owner' do
let(:current_user) { owner }
it { is_expected.to be_allowed(:read_vulnerability_feedback) }
end
context 'with maintainer' do
let(:current_user) { maintainer }
it { is_expected.to be_allowed(:read_vulnerability_feedback) }
end
context 'with developer' do
let(:current_user) { developer }
it { is_expected.to be_allowed(:read_vulnerability_feedback) }
end
context 'with reporter' do
let(:current_user) { reporter }
with_them do
let(:current_user) { public_send(role) }
it { is_expected.to be_allowed(:read_vulnerability_feedback) }
end
......@@ -367,7 +345,7 @@ describe ProjectPolicy do
context 'with guest' do
let(:current_user) { guest }
it { is_expected.to be_allowed(:read_vulnerability_feedback) }
it { is_expected.to be_disallowed(:read_vulnerability_feedback) }
end
context 'with non member' do
......@@ -418,8 +396,8 @@ describe ProjectPolicy do
context 'with private project' do
let(:project) { create(:project, :private, namespace: owner.namespace) }
context 'with guest or above' do
let(:current_user) { guest }
context 'with reporter or above' do
let(:current_user) { reporter }
it { is_expected.to be_allowed(:read_security_findings) }
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment