Commit e236140b authored by Douglas Barbosa Alexandre's avatar Douglas Barbosa Alexandre

Merge branch '13247-vulnerabilities-permissions' into 'master'

Permissions for vulnerabilities

See merge request gitlab-org/gitlab!21265
parents 381216c2 cc7bcf73
...@@ -20,7 +20,7 @@ module Projects ...@@ -20,7 +20,7 @@ module Projects
def can_access_vulnerable? def can_access_vulnerable?
return true unless query_params[:filter] == 'vulnerable' return true unless query_params[:filter] == 'vulnerable'
can?(current_user, :read_project_security_dashboard, project) can?(current_user, :read_vulnerability, project)
end end
def can_collect_dependencies? def can_collect_dependencies?
......
...@@ -25,8 +25,8 @@ module EE ...@@ -25,8 +25,8 @@ module EE
::Gitlab::CurrentSettings.lock_memberships_to_ldap? ::Gitlab::CurrentSettings.lock_memberships_to_ldap?
end end
condition(:security_dashboard_feature_disabled) do condition(:security_dashboard_enabled) do
!@subject.feature_available?(:security_dashboard) @subject.feature_available?(:security_dashboard)
end end
condition(:needs_new_sso_session) do condition(:needs_new_sso_session) do
...@@ -129,13 +129,10 @@ module EE ...@@ -129,13 +129,10 @@ module EE
end end
rule { developer }.policy do rule { developer }.policy do
enable :read_group_security_dashboard
enable :admin_merge_request enable :admin_merge_request
end end
rule { security_dashboard_feature_disabled }.policy do rule { security_dashboard_enabled & developer }.enable :read_group_security_dashboard
prevent :read_group_security_dashboard
end
rule { needs_new_sso_session }.policy do rule { needs_new_sso_session }.policy do
prevent :read_group prevent :read_group
......
...@@ -62,8 +62,8 @@ module EE ...@@ -62,8 +62,8 @@ module EE
end end
with_scope :subject with_scope :subject
condition(:security_dashboard_feature_disabled) do condition(:security_dashboard_enabled) do
!@subject.feature_available?(:security_dashboard) @subject.feature_available?(:security_dashboard)
end end
condition(:prometheus_alerts_enabled) do condition(:prometheus_alerts_enabled) do
...@@ -157,25 +157,19 @@ module EE ...@@ -157,25 +157,19 @@ module EE
rule { can?(:public_access) }.enable :read_package rule { can?(:public_access) }.enable :read_package
rule { can?(:read_project) & can?(:read_build) }.enable :read_security_findings rule { can?(:read_build) & can?(:download_code) }.enable :read_security_findings
rule { can?(:developer_access) }.policy do rule { security_dashboard_enabled & can?(:developer_access) }.enable :read_vulnerability
enable :read_project_security_dashboard
end
rule { security_dashboard_feature_disabled }.policy do
prevent :read_project_security_dashboard
end
rule { can?(:read_project_security_dashboard) & can?(:developer_access) }.policy do rule { can?(:read_vulnerability) }.policy do
enable :read_vulnerability enable :read_project_security_dashboard
enable :create_vulnerability enable :create_vulnerability
enable :admin_vulnerability enable :admin_vulnerability
end end
rule { threat_monitoring_enabled & (auditor | can?(:developer_access)) }.enable :read_threat_monitoring rule { threat_monitoring_enabled & (auditor | can?(:developer_access)) }.enable :read_threat_monitoring
rule { can?(:read_project) & (can?(:read_merge_request) | can?(:read_build)) }.enable :read_vulnerability_feedback rule { can?(:read_security_findings) }.enable :read_vulnerability_feedback
rule { dependency_scanning_enabled & can?(:download_code) }.enable :read_dependencies rule { dependency_scanning_enabled & can?(:download_code) }.enable :read_dependencies
...@@ -216,13 +210,17 @@ module EE ...@@ -216,13 +210,17 @@ module EE
enable :read_environment enable :read_environment
enable :read_deployment enable :read_deployment
enable :read_pages enable :read_pages
enable :read_project_security_dashboard
end end
rule { auditor & can?(:read_project_security_dashboard) }.policy do rule { auditor & security_dashboard_enabled }.policy do
enable :read_vulnerability enable :read_vulnerability
end end
rule { auditor & ~developer }.policy do
prevent :create_vulnerability
prevent :admin_vulnerability
end
rule { auditor & ~guest }.policy do rule { auditor & ~guest }.policy do
prevent :create_project prevent :create_project
prevent :create_issue prevent :create_issue
......
...@@ -23,7 +23,7 @@ class DependencyEntity < Grape::Entity ...@@ -23,7 +23,7 @@ class DependencyEntity < Grape::Entity
private private
def can_read_vulnerabilities? def can_read_vulnerabilities?
can?(request.user, :read_project_security_dashboard, request.project) can?(request.user, :read_vulnerability, request.project)
end end
def can_read_licenses? def can_read_licenses?
......
...@@ -38,7 +38,7 @@ module API ...@@ -38,7 +38,7 @@ module API
end end
get ':id' do get ':id' do
vulnerability = Vulnerability.find(params[:id]) vulnerability = Vulnerability.find(params[:id])
authorize_vulnerability!(vulnerability, :read_project_security_dashboard) authorize_vulnerability!(vulnerability, :read_vulnerability)
render_vulnerability(vulnerability) render_vulnerability(vulnerability)
end end
......
...@@ -53,7 +53,7 @@ module API ...@@ -53,7 +53,7 @@ module API
success ::Vulnerabilities::OccurrenceEntity success ::Vulnerabilities::OccurrenceEntity
end end
get ':id/vulnerability_findings' do get ':id/vulnerability_findings' do
authorize! :read_project_security_dashboard, user_project authorize! :read_vulnerability, user_project
vulnerability_occurrences = paginate( vulnerability_occurrences = paginate(
Kaminari.paginate_array( Kaminari.paginate_array(
......
...@@ -882,7 +882,7 @@ module EE ...@@ -882,7 +882,7 @@ module EE
private private
def can_read_vulnerabilities?(user, project) def can_read_vulnerabilities?(user, project)
Ability.allowed?(user, :read_project_security_dashboard, project) Ability.allowed?(user, :read_vulnerability, project)
end end
end end
......
...@@ -334,32 +334,10 @@ describe ProjectPolicy do ...@@ -334,32 +334,10 @@ describe ProjectPolicy do
let(:current_user) { admin } let(:current_user) { admin }
let(:project) { create(:project, :private, namespace: owner.namespace) } let(:project) { create(:project, :private, namespace: owner.namespace) }
context 'with admin' do where(role: %w[admin owner maintainer developer reporter])
let(:current_user) { admin }
it { is_expected.to be_allowed(:read_vulnerability_feedback) }
end
context 'with owner' do with_them do
let(:current_user) { owner } let(:current_user) { public_send(role) }
it { is_expected.to be_allowed(:read_vulnerability_feedback) }
end
context 'with maintainer' do
let(:current_user) { maintainer }
it { is_expected.to be_allowed(:read_vulnerability_feedback) }
end
context 'with developer' do
let(:current_user) { developer }
it { is_expected.to be_allowed(:read_vulnerability_feedback) }
end
context 'with reporter' do
let(:current_user) { reporter }
it { is_expected.to be_allowed(:read_vulnerability_feedback) } it { is_expected.to be_allowed(:read_vulnerability_feedback) }
end end
...@@ -367,7 +345,7 @@ describe ProjectPolicy do ...@@ -367,7 +345,7 @@ describe ProjectPolicy do
context 'with guest' do context 'with guest' do
let(:current_user) { guest } let(:current_user) { guest }
it { is_expected.to be_allowed(:read_vulnerability_feedback) } it { is_expected.to be_disallowed(:read_vulnerability_feedback) }
end end
context 'with non member' do context 'with non member' do
...@@ -418,8 +396,8 @@ describe ProjectPolicy do ...@@ -418,8 +396,8 @@ describe ProjectPolicy do
context 'with private project' do context 'with private project' do
let(:project) { create(:project, :private, namespace: owner.namespace) } let(:project) { create(:project, :private, namespace: owner.namespace) }
context 'with guest or above' do context 'with reporter or above' do
let(:current_user) { guest } let(:current_user) { reporter }
it { is_expected.to be_allowed(:read_security_findings) } it { is_expected.to be_allowed(:read_security_findings) }
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment