Fix group level vulnerability permissions

Bulk vulnerability dismissal checkboxes were not shown in the group Vulnerability Report section. This MR changes the GroupPolicy so that read_group_security_dashboard policy enables admin_vulnerabilty rule when the access level is developer or higher. Update specs to reflect this Changelog: fixed EE: true

Fix group level vulnerability permissions
Bulk vulnerability dismissal checkboxes were not shown in the group Vulnerability Report section. This MR changes the GroupPolicy so that read_group_security_dashboard policy enables admin_vulnerabilty rule when the access level is developer or higher. Update specs to reflect this Changelog: fixed EE: true
35634bd2 · Michał Zając · 5bb160d3 · 35634bd2 · 35634bd2 · 35634bd2
Commit 35634bd2 authored Jul 16, 2021 by Michał Zając
4 changed files
--- a/ee/app/helpers/groups/security_features_helper.rb
+++ b/ee/app/helpers/groups/security_features_helper.rb
@@ -46,7 +46,8 @@ module Groups::SecurityFeaturesHelper
      survey_request_svg_path: image_path('illustrations/security-dashboard_empty.svg'),
      dashboard_documentation: help_page_path('user/application_security/security_dashboard/index'),
      vulnerabilities_export_endpoint: expose_path(api_v4_security_groups_vulnerability_exports_path(id: group.id)),
-      scanners: VulnerabilityScanners::ListService.new(group).execute.to_json
+      scanners: VulnerabilityScanners::ListService.new(group).execute.to_json,
+      can_admin_vulnerability: can?(current_user, :admin_vulnerability, group).to_s
    }
  end
 end
--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -281,7 +281,10 @@ module EE
        enable :read_group_audit_events
      end

-      rule { security_dashboard_enabled & developer }.enable :read_group_security_dashboard
+      rule { security_dashboard_enabled & developer }.policy do
+        enable :read_group_security_dashboard
+        enable :admin_vulnerability
+      end

      rule { can?(:read_group_security_dashboard) }.policy do
        enable :create_vulnerability_export

--- a/ee/spec/helpers/groups/security_features_helper_spec.rb
+++ b/ee/spec/helpers/groups/security_features_helper_spec.rb
@@ -154,21 +154,27 @@ RSpec.describe Groups::SecurityFeaturesHelper do
  end

  describe '#group_level_security_dashboard_data' do
+    subject { helper.group_level_security_dashboard_data(group) }
+
+    before do
+      allow(helper).to receive(:current_user).and_return(:user)
+      allow(helper).to receive(:can?).and_return(true)
+    end
+
    let(:expected_data) do
      {
        projects_endpoint: "http://localhost/api/v4/groups/#{group.id}/projects",
        group_full_path: group.full_path,
-        no_vulnerabilities_svg_path: '/images/illustrations/issues.svg',
-        empty_state_svg_path: '/images/illustrations/security-dashboard-empty-state.svg',
-        survey_request_svg_path: '/images/illustrations/security-dashboard_empty.svg',
-        dashboard_documentation: '/help/user/application_security/security_dashboard/index',
+        no_vulnerabilities_svg_path: helper.image_path('illustrations/issues.svg'),
+        empty_state_svg_path: helper.image_path('illustrations/security-dashboard-empty-state.svg'),
+        survey_request_svg_path: helper.image_path('illustrations/security-dashboard_empty.svg'),
+        dashboard_documentation: help_page_path('user/application_security/security_dashboard/index'),
        vulnerabilities_export_endpoint: "/api/v4/security/groups/#{group.id}/vulnerability_exports",
-        scanners: '[]'
+        scanners: '[]',
+        can_admin_vulnerability: 'true'
      }
    end

-    subject { group_level_security_dashboard_data(group) }
-
    it { is_expected.to eq(expected_data) }
  end
 end
--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -6,6 +6,9 @@ RSpec.describe GroupPolicy do
  include AdminModeHelper

  include_context 'GroupPolicy context'
+  # Can't move to GroupPolicy context because auditor trait is not present
+  # outside of EE context and foss-impact will fail on this
+  let_it_be(:auditor) { create(:user, :auditor) }

  let(:epic_rules) do
    %i(read_epic create_epic admin_epic destroy_epic read_confidential_epic
@@ -846,6 +849,66 @@ RSpec.describe GroupPolicy do
    end
  end

+  describe 'admin_vulnerability' do
+    before do
+      stub_licensed_features(security_dashboard: true)
+    end
+
+    context 'with guest' do
+      let(:current_user) { auditor }
+
+      it { is_expected.to be_disallowed(:admin_vulnerability) }
+    end
+
+    context 'with reporter' do
+      let(:current_user) { reporter }
+
+      it { is_expected.to be_disallowed(:admin_vulnerability) }
+    end
+
+    context 'with developer' do
+      let(:current_user) { developer }
+
+      it { is_expected.to be_allowed(:admin_vulnerability) }
+    end
+
+    context 'with maintainer' do
+      let(:current_user) { maintainer }
+
+      it { is_expected.to be_allowed(:admin_vulnerability) }
+    end
+
+    context 'with owner' do
+      let(:current_user) { owner }
+
+      it { is_expected.to be_allowed(:admin_vulnerability) }
+    end
+
+    context 'with auditor' do
+      let(:current_user) { auditor }
+
+      context "when auditor is not a group member" do
+        it { is_expected.to be_disallowed(:admin_vulnerability) }
+      end
+
+      context "when developer doesn't have developer-level access to a group" do
+        before do
+          group.add_reporter(auditor)
+        end
+
+        it { is_expected.to be_disallowed(:admin_vulnerability) }
+      end
+
+      context 'when auditor has developer-level access to a group' do
+        before do
+          group.add_developer(auditor)
+        end
+
+        it { is_expected.to be_allowed(:admin_vulnerability) }
+      end
+    end
+  end
+
  describe 'read_group_security_dashboard & create_vulnerability_export' do
    let(:abilities) do
      %i[read_group_security_dashboard create_vulnerability_export read_security_resource]