Merge branch '13247-vulnerabilities-permissions' into 'master'

Permissions for vulnerabilities See merge request gitlab-org/gitlab!21265

Merge branch '13247-vulnerabilities-permissions' into 'master'
Permissions for vulnerabilities See merge request gitlab-org/gitlab!21265
e236140b · Douglas Barbosa Alexandre · 381216c2 · cc7bcf73 · e236140b · e236140b
Commit e236140b authored Dec 13, 2019 by Douglas Barbosa Alexandre
8 changed files
--- a/ee/app/controllers/projects/security/dependencies_controller.rb
+++ b/ee/app/controllers/projects/security/dependencies_controller.rb
@@ -20,7 +20,7 @@ module Projects
      def can_access_vulnerable?
        return true unless query_params[:filter] == 'vulnerable'
-        can?(current_user, :read_project_security_dashboard, project)
+        can?(current_user, :read_vulnerability, project)
      end
      def can_collect_dependencies?

--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -25,8 +25,8 @@ module EE
        ::Gitlab::CurrentSettings.lock_memberships_to_ldap?
      end
-      condition(:security_dashboard_feature_disabled) do
+      condition(:security_dashboard_enabled) do
-        !@subject.feature_available?(:security_dashboard)
+        @subject.feature_available?(:security_dashboard)
      end
      condition(:needs_new_sso_session) do
@@ -129,13 +129,10 @@ module EE
      end
      rule { developer }.policy do
-        enable :read_group_security_dashboard
        enable :admin_merge_request
      end
-      rule { security_dashboard_feature_disabled }.policy do
+      rule { security_dashboard_enabled & developer }.enable :read_group_security_dashboard
-        prevent :read_group_security_dashboard
-      end
      rule { needs_new_sso_session }.policy do
        prevent :read_group

--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -62,8 +62,8 @@ module EE
      end
      with_scope :subject
-      condition(:security_dashboard_feature_disabled) do
+      condition(:security_dashboard_enabled) do
-        !@subject.feature_available?(:security_dashboard)
+        @subject.feature_available?(:security_dashboard)
      end
      condition(:prometheus_alerts_enabled) do
@@ -157,25 +157,19 @@ module EE
      rule { can?(:public_access) }.enable :read_package
-      rule { can?(:read_project) & can?(:read_build) }.enable :read_security_findings
+      rule { can?(:read_build) & can?(:download_code) }.enable :read_security_findings
-      rule { can?(:developer_access) }.policy do
+      rule { security_dashboard_enabled & can?(:developer_access) }.enable :read_vulnerability
-        enable :read_project_security_dashboard
-      end
-      rule { security_dashboard_feature_disabled }.policy do
-        prevent :read_project_security_dashboard
-      end
-      rule { can?(:read_project_security_dashboard) & can?(:developer_access) }.policy do
+      rule { can?(:read_vulnerability) }.policy do
-        enable :read_vulnerability
+        enable :read_project_security_dashboard
        enable :create_vulnerability
        enable :admin_vulnerability
      end
      rule { threat_monitoring_enabled & (auditor | can?(:developer_access)) }.enable :read_threat_monitoring
-      rule { can?(:read_project) & (can?(:read_merge_request) | can?(:read_build)) }.enable :read_vulnerability_feedback
+      rule { can?(:read_security_findings) }.enable :read_vulnerability_feedback
      rule { dependency_scanning_enabled & can?(:download_code) }.enable :read_dependencies
@@ -216,13 +210,17 @@ module EE
        enable :read_environment
        enable :read_deployment
        enable :read_pages
-        enable :read_project_security_dashboard
      end
-      rule { auditor & can?(:read_project_security_dashboard) }.policy do
+      rule { auditor & security_dashboard_enabled }.policy do
        enable :read_vulnerability
      end
+      rule { auditor & ~developer }.policy do
+        prevent :create_vulnerability
+        prevent :admin_vulnerability
+      end
      rule { auditor & ~guest }.policy do
        prevent :create_project
        prevent :create_issue

--- a/ee/app/serializers/dependency_entity.rb
+++ b/ee/app/serializers/dependency_entity.rb
@@ -23,7 +23,7 @@ class DependencyEntity < Grape::Entity
  private
  def can_read_vulnerabilities?
-    can?(request.user, :read_project_security_dashboard, request.project)
+    can?(request.user, :read_vulnerability, request.project)
  end
  def can_read_licenses?

--- a/ee/lib/api/vulnerabilities.rb
+++ b/ee/lib/api/vulnerabilities.rb
@@ -38,7 +38,7 @@ module API
      end
      get ':id' do
        vulnerability = Vulnerability.find(params[:id])
-        authorize_vulnerability!(vulnerability, :read_project_security_dashboard)
+        authorize_vulnerability!(vulnerability, :read_vulnerability)
        render_vulnerability(vulnerability)
      end

--- a/ee/lib/api/vulnerability_findings.rb
+++ b/ee/lib/api/vulnerability_findings.rb
@@ -53,7 +53,7 @@ module API
        success ::Vulnerabilities::OccurrenceEntity
      end
      get ':id/vulnerability_findings' do
-        authorize! :read_project_security_dashboard, user_project
+        authorize! :read_vulnerability, user_project
        vulnerability_occurrences = paginate(
          Kaminari.paginate_array(

--- a/ee/lib/ee/api/entities.rb
+++ b/ee/lib/ee/api/entities.rb
@@ -882,7 +882,7 @@ module EE
        private
        def can_read_vulnerabilities?(user, project)
-          Ability.allowed?(user, :read_project_security_dashboard, project)
+          Ability.allowed?(user, :read_vulnerability, project)
        end
      end

--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -334,32 +334,10 @@ describe ProjectPolicy do
      let(:current_user) { admin }
      let(:project) { create(:project, :private, namespace: owner.namespace) }
-      context 'with admin' do
+      where(role: %w[admin owner maintainer developer reporter])
-        let(:current_user) { admin }
-        it { is_expected.to be_allowed(:read_vulnerability_feedback) }
-      end
-      context 'with owner' do
-        let(:current_user) { owner }
-        it { is_expected.to be_allowed(:read_vulnerability_feedback) }
-      end
-      context 'with maintainer' do
-        let(:current_user) { maintainer }
-        it { is_expected.to be_allowed(:read_vulnerability_feedback) }
-      end
-      context 'with developer' do
-        let(:current_user) { developer }
-        it { is_expected.to be_allowed(:read_vulnerability_feedback) }
-      end
-      context 'with reporter' do
+      with_them do
-        let(:current_user) { reporter }
+        let(:current_user) { public_send(role) }
        it { is_expected.to be_allowed(:read_vulnerability_feedback) }
      end
@@ -367,7 +345,7 @@ describe ProjectPolicy do
      context 'with guest' do
        let(:current_user) { guest }
-        it { is_expected.to be_allowed(:read_vulnerability_feedback) }
+        it { is_expected.to be_disallowed(:read_vulnerability_feedback) }
      end
      context 'with non member' do
@@ -418,8 +396,8 @@ describe ProjectPolicy do
    context 'with private project' do
      let(:project) { create(:project, :private, namespace: owner.namespace) }
-      context 'with guest or above' do
+      context 'with reporter or above' do
-        let(:current_user) { guest }
+        let(:current_user) { reporter }
        it { is_expected.to be_allowed(:read_security_findings) }
      end