Commit 26720aaf authored by Robert Speicher's avatar Robert Speicher

Merge branch...

Merge branch '336214-bulk-dismissal-checkboxes-don-t-appear-on-group-vulnerability-report' into 'master'

Resolve "Bulk dismissal checkboxes don't appear on group vulnerability report"

See merge request gitlab-org/gitlab!66312
parents 698c6284 35634bd2
......@@ -46,7 +46,8 @@ module Groups::SecurityFeaturesHelper
survey_request_svg_path: image_path('illustrations/security-dashboard_empty.svg'),
dashboard_documentation: help_page_path('user/application_security/security_dashboard/index'),
vulnerabilities_export_endpoint: expose_path(api_v4_security_groups_vulnerability_exports_path(id: group.id)),
scanners: VulnerabilityScanners::ListService.new(group).execute.to_json
scanners: VulnerabilityScanners::ListService.new(group).execute.to_json,
can_admin_vulnerability: can?(current_user, :admin_vulnerability, group).to_s
}
end
end
......@@ -281,7 +281,10 @@ module EE
enable :read_group_audit_events
end
rule { security_dashboard_enabled & developer }.enable :read_group_security_dashboard
rule { security_dashboard_enabled & developer }.policy do
enable :read_group_security_dashboard
enable :admin_vulnerability
end
rule { can?(:read_group_security_dashboard) }.policy do
enable :create_vulnerability_export
......
......@@ -154,21 +154,27 @@ RSpec.describe Groups::SecurityFeaturesHelper do
end
describe '#group_level_security_dashboard_data' do
subject { helper.group_level_security_dashboard_data(group) }
before do
allow(helper).to receive(:current_user).and_return(:user)
allow(helper).to receive(:can?).and_return(true)
end
let(:expected_data) do
{
projects_endpoint: "http://localhost/api/v4/groups/#{group.id}/projects",
group_full_path: group.full_path,
no_vulnerabilities_svg_path: '/images/illustrations/issues.svg',
empty_state_svg_path: '/images/illustrations/security-dashboard-empty-state.svg',
survey_request_svg_path: '/images/illustrations/security-dashboard_empty.svg',
dashboard_documentation: '/help/user/application_security/security_dashboard/index',
no_vulnerabilities_svg_path: helper.image_path('illustrations/issues.svg'),
empty_state_svg_path: helper.image_path('illustrations/security-dashboard-empty-state.svg'),
survey_request_svg_path: helper.image_path('illustrations/security-dashboard_empty.svg'),
dashboard_documentation: help_page_path('user/application_security/security_dashboard/index'),
vulnerabilities_export_endpoint: "/api/v4/security/groups/#{group.id}/vulnerability_exports",
scanners: '[]'
scanners: '[]',
can_admin_vulnerability: 'true'
}
end
subject { group_level_security_dashboard_data(group) }
it { is_expected.to eq(expected_data) }
end
end
......@@ -6,6 +6,9 @@ RSpec.describe GroupPolicy do
include AdminModeHelper
include_context 'GroupPolicy context'
# Can't move to GroupPolicy context because auditor trait is not present
# outside of EE context and foss-impact will fail on this
let_it_be(:auditor) { create(:user, :auditor) }
let(:epic_rules) do
%i(read_epic create_epic admin_epic destroy_epic read_confidential_epic
......@@ -846,6 +849,66 @@ RSpec.describe GroupPolicy do
end
end
describe 'admin_vulnerability' do
before do
stub_licensed_features(security_dashboard: true)
end
context 'with guest' do
let(:current_user) { auditor }
it { is_expected.to be_disallowed(:admin_vulnerability) }
end
context 'with reporter' do
let(:current_user) { reporter }
it { is_expected.to be_disallowed(:admin_vulnerability) }
end
context 'with developer' do
let(:current_user) { developer }
it { is_expected.to be_allowed(:admin_vulnerability) }
end
context 'with maintainer' do
let(:current_user) { maintainer }
it { is_expected.to be_allowed(:admin_vulnerability) }
end
context 'with owner' do
let(:current_user) { owner }
it { is_expected.to be_allowed(:admin_vulnerability) }
end
context 'with auditor' do
let(:current_user) { auditor }
context "when auditor is not a group member" do
it { is_expected.to be_disallowed(:admin_vulnerability) }
end
context "when developer doesn't have developer-level access to a group" do
before do
group.add_reporter(auditor)
end
it { is_expected.to be_disallowed(:admin_vulnerability) }
end
context 'when auditor has developer-level access to a group' do
before do
group.add_developer(auditor)
end
it { is_expected.to be_allowed(:admin_vulnerability) }
end
end
end
describe 'read_group_security_dashboard & create_vulnerability_export' do
let(:abilities) do
%i[read_group_security_dashboard create_vulnerability_export read_security_resource]
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment