Merge branch 'issue#227542-rename-read_vulnerability-policy' into 'master'

Rename read_vulnerability to read_security_resource policy

See merge request gitlab-org/gitlab!58704

app/models/note.rb

@@ -276,6 +276,10 @@ class Note < ApplicationRecord
     noteable_type == 'AlertManagement::Alert'
   end
 
+  def for_vulnerability?
+    noteable_type == "Vulnerability"
+  end
+
   def for_project_snippet?
     noteable.is_a?(ProjectSnippet)
   end
@@ -411,6 +415,8 @@ class Note < ApplicationRecord
       'snippet'
     elsif for_alert_mangement_alert?
       'alert_management_alert'
+    elsif for_vulnerability?
+      'security_resource'
     else
       noteable_type.demodulize.underscore
     end

ee/app/controllers/ee/projects/issues_controller.rb

@@ -117,7 +117,7 @@ module EE
       end
 
       def populate_vulnerability_id
-        self.vulnerability_id = params[:vulnerability_id] if can?(current_user, :read_vulnerability, project)
+        self.vulnerability_id = params[:vulnerability_id] if can?(current_user, :read_security_resource, project)
       end
 
       def redirect_if_test_case

ee/app/controllers/projects/dependencies_controller.rb

@@ -26,7 +26,7 @@ module Projects
     def can_access_vulnerable?
       return true unless query_params[:filter] == 'vulnerable'
 
-      can?(current_user, :read_vulnerability, project)
+      can?(current_user, :read_security_resource, project)
     end
 
     def can_collect_dependencies?

ee/app/controllers/projects/security/scanned_resources_controller.rb

@@ -51,7 +51,7 @@ module Projects
       end
 
       def authorize_read_vulnerability!
-        return if can?(current_user, :read_vulnerability, project)
+        return if can?(current_user, :read_security_resource, project)
 
         render_404
       end

ee/app/controllers/projects/security/vulnerabilities/notes_controller.rb

@@ -28,7 +28,7 @@ module Projects
         def vulnerability
           @vulnerability ||= @project.vulnerabilities.find(params[:vulnerability_id])
 
-          return render_404 unless can?(current_user, :read_vulnerability, @vulnerability)
+          return render_404 unless can?(current_user, :read_security_resource, @vulnerability)
 
           @vulnerability
         end

ee/app/graphql/ee/types/project_type.rb

@@ -172,7 +172,7 @@ module EE
       end
 
       def api_fuzzing_ci_configuration
-        return unless Ability.allowed?(current_user, :read_vulnerability, object)
+        return unless Ability.allowed?(current_user, :read_security_resource, object)
 
         configuration = ::AppSec::Fuzzing::Api::CiConfiguration.new(project: object)
 

ee/app/graphql/mutations/instance_security_dashboard/add_project.rb

@@ -37,7 +37,7 @@ module Mutations
 
       def add_project(project)
         Dashboard::Projects::CreateService
-          .new(current_user, current_user.security_dashboard_projects, ability: :read_vulnerability)
+          .new(current_user, current_user.security_dashboard_projects, ability: :read_security_resource)
           .execute([project.id])
       end
 

ee/app/graphql/resolvers/vulnerability_severities_count_resolver.rb

@@ -6,7 +6,7 @@ module Resolvers
     include Gitlab::Graphql::Authorize::AuthorizeResource
 
     type Types::VulnerabilitySeveritiesCountType, null: true
-    authorize :read_vulnerability
+    authorize :read_security_resource
     authorizes_object!
 
     argument :project_id, [GraphQL::ID_TYPE],

ee/app/graphql/types/vulnerability/external_issue_link_type.rb

@@ -6,7 +6,7 @@ module Types
       graphql_name 'VulnerabilityExternalIssueLink'
       description 'Represents an external issue link of a vulnerability'
 
-      authorize :read_vulnerability
+      authorize :read_security_resource
 
       field :id, GlobalIDType[::Vulnerabilities::ExternalIssueLink], null: false,
             description: 'GraphQL ID of the external issue link.'

ee/app/graphql/types/vulnerability_type.rb

@@ -7,7 +7,7 @@ module Types
 
     implements(Types::Notes::NoteableType)
 
-    authorize :read_vulnerability
+    authorize :read_security_resource
 
     expose_permissions Types::PermissionTypes::Vulnerability
 

ee/app/policies/ee/group_policy.rb

@@ -282,7 +282,7 @@ module EE
 
       rule { can?(:read_group_security_dashboard) }.policy do
         enable :create_vulnerability_export
-        enable :read_vulnerability
+        enable :read_security_resource
       end
 
       rule { admin | owner }.policy do

ee/app/policies/ee/project_policy.rb

@@ -196,7 +196,7 @@ module EE
       end
 
       rule { security_dashboard_enabled & can?(:developer_access) }.policy do
-        enable :read_vulnerability
+        enable :read_security_resource
         enable :read_vulnerability_scanner
       end
 
@@ -211,7 +211,7 @@ module EE
 
       rule { can?(:read_merge_request) & can?(:read_pipeline) }.enable :read_merge_train
 
-      rule { can?(:read_vulnerability) }.policy do
+      rule { can?(:read_security_resource) }.policy do
         enable :read_project_security_dashboard
         enable :create_vulnerability
         enable :create_vulnerability_export
@@ -271,7 +271,7 @@ module EE
       end
 
       rule { auditor & security_dashboard_enabled }.policy do
-        enable :read_vulnerability
+        enable :read_security_resource
         enable :read_vulnerability_scanner
       end
 

ee/app/policies/instance_security_dashboard_policy.rb

@@ -8,7 +8,7 @@ class InstanceSecurityDashboardPolicy < BasePolicy
 
   rule { ~anonymous }.policy do
     enable :read_instance_security_dashboard
-    enable :read_vulnerability
+    enable :read_security_resource
   end
 
   rule { security_dashboard_enabled & can?(:read_instance_security_dashboard) }.enable :create_vulnerability_export

ee/app/policies/security/scan_policy.rb

@@ -4,7 +4,7 @@ module Security
   class ScanPolicy < BasePolicy
     delegate { @subject.project }
 
-    rule { can?(:read_vulnerability) }.policy do
+    rule { can?(:read_security_resource) }.policy do
       enable :read_scan
     end
   end

ee/app/presenters/ee/ci/pipeline_presenter.rb

@@ -6,7 +6,7 @@ module EE
       extend ActiveSupport::Concern
 
       def expose_security_dashboard?
-        return false unless can?(current_user, :read_vulnerability, pipeline.project)
+        return false unless can?(current_user, :read_security_resource, pipeline.project)
 
         Ci::JobArtifact::SECURITY_REPORT_FILE_TYPES.any? { |file_type| batch_lookup_report_artifact_for_file_type(file_type.to_sym) }
       end

ee/app/serializers/dependency_entity.rb

@@ -28,7 +28,7 @@ class DependencyEntity < Grape::Entity
   private
 
   def can_read_vulnerabilities?
-    can?(request.user, :read_vulnerability, request.project)
+    can?(request.user, :read_security_resource, request.project)
   end
 
   def can_read_licenses?

ee/app/serializers/ee/merge_request_widget_entity.rb

@@ -62,7 +62,7 @@ module EE
       end
 
       expose :can_read_vulnerabilities do |merge_request|
-        can?(current_user, :read_vulnerability, merge_request.project)
+        can?(current_user, :read_security_resource, merge_request.project)
       end
 
       expose :can_read_vulnerability_feedback do |merge_request|

ee/app/services/vulnerability_feedback/create_service.rb

@@ -116,7 +116,7 @@ module VulnerabilityFeedback
     def create_vulnerability_issue_link(vulnerability_id, issue)
       return unless vulnerability_id
 
-      raise Gitlab::Access::AccessDeniedError unless can?(current_user, :read_vulnerability, project)
+      raise Gitlab::Access::AccessDeniedError unless can?(current_user, :read_security_resource, project)
 
       vulnerability = project.vulnerabilities.find_by_id(vulnerability_id)
 

ee/lib/api/vulnerabilities.rb

@@ -32,7 +32,7 @@ module API
     end
     resource :vulnerabilities do
       before do
-        @vulnerability = find_and_authorize_vulnerability!(:read_vulnerability)
+        @vulnerability = find_and_authorize_vulnerability!(:read_security_resource)
       end
 
       desc 'Get a vulnerability' do
@@ -94,7 +94,7 @@ module API
         use :pagination
       end
       get ':id/vulnerabilities' do
-        authorize! :read_vulnerability, user_project
+        authorize! :read_security_resource, user_project
 
         vulnerabilities = paginate(
           vulnerabilities_by(user_project)

ee/lib/api/vulnerability_findings.rb

@@ -84,7 +84,7 @@ module API
         success ::Vulnerabilities::FindingEntity
       end
       get ':id/vulnerability_findings' do
-        authorize! :read_vulnerability, user_project
+        authorize! :read_security_resource, user_project
 
         Gitlab::Vulnerabilities::FindingsPreloader.preload_feedback!(vulnerability_findings)
 

ee/lib/api/vulnerability_issue_links.rb

@@ -34,7 +34,7 @@ module API
         success EE::API::Entities::VulnerabilityRelatedIssue
       end
       get ':id/issue_links' do
-        vulnerability = find_and_authorize_vulnerability!(:read_vulnerability)
+        vulnerability = find_and_authorize_vulnerability!(:read_security_resource)
         related_issues = vulnerability.related_issues.with_api_entity_associations.with_vulnerability_links
         present Ability.issues_readable_by_user(related_issues, current_user),
                 with: EE::API::Entities::VulnerabilityRelatedIssue

ee/lib/ee/api/entities/dependency.rb

@@ -13,7 +13,7 @@ module EE
         private
 
         def can_read_vulnerabilities?(user, project)
-          Ability.allowed?(user, :read_vulnerability, project)
+          Ability.allowed?(user, :read_security_resource, project)
         end
       end
     end

ee/lib/ee/banzai/reference_parser/vulnerability_parser.rb

@@ -17,7 +17,7 @@ module EE
         end
 
         def can_read_reference?(user, vulnerability)
-          can?(user, :read_vulnerability, vulnerability)
+          can?(user, :read_security_resource, vulnerability)
         end
       end
     end

ee/spec/graphql/types/vulnerability_type_spec.rb

@@ -47,7 +47,7 @@ RSpec.describe GitlabSchema.types['Vulnerability'] do
   subject { GitlabSchema.execute(query, context: { current_user: user }).as_json }
 
   it { expect(described_class).to have_graphql_fields(fields) }
-  it { expect(described_class).to require_graphql_authorizations(:read_vulnerability) }
+  it { expect(described_class).to require_graphql_authorizations(:read_security_resource) }
 
   describe 'vulnerability_path' do
     let(:query) do

ee/spec/policies/group_policy_spec.rb

@@ -848,7 +848,7 @@ RSpec.describe GroupPolicy do
 
   describe 'read_group_security_dashboard & create_vulnerability_export' do
     let(:abilities) do
-      %i[read_group_security_dashboard create_vulnerability_export read_vulnerability]
+      %i[read_group_security_dashboard create_vulnerability_export read_security_resource]
     end
 
     before do

ee/spec/policies/instance_security_dashboard_policy_spec.rb

@@ -13,7 +13,7 @@ RSpec.describe InstanceSecurityDashboardPolicy do
   subject { described_class.new(current_user, [user]) }
 
   describe 'read_instance_security_dashboard' do
-    let(:abilities) { %i[read_instance_security_dashboard read_vulnerability] }
+    let(:abilities) { %i[read_instance_security_dashboard read_security_resource] }
 
     context 'when the user is not logged in' do
       let(:current_user) { nil }

ee/spec/policies/project_policy_spec.rb

@@ -23,7 +23,7 @@ RSpec.describe ProjectPolicy do
     let(:additional_developer_permissions) do
       %i[
         admin_vulnerability_feedback read_project_audit_events read_project_security_dashboard
-        read_vulnerability read_vulnerability_scanner create_vulnerability create_vulnerability_export admin_vulnerability
+        read_security_resource read_vulnerability_scanner create_vulnerability create_vulnerability_export admin_vulnerability
         admin_vulnerability_issue_link admin_vulnerability_external_issue_link read_merge_train
       ]
     end
@@ -41,7 +41,7 @@ RSpec.describe ProjectPolicy do
         read_pipeline read_build read_commit_status read_container_image
         read_environment read_deployment read_merge_request read_pages
         create_merge_request_in award_emoji
-        read_project_security_dashboard read_vulnerability read_vulnerability_scanner
+        read_project_security_dashboard read_security_resource read_vulnerability_scanner
         read_software_license_policy
         read_threat_monitoring read_merge_train
         read_release

ee/spec/policies/vulnerability_policy_spec.rb

@@ -3,7 +3,7 @@
 require 'spec_helper'
 
 RSpec.describe VulnerabilityPolicy do
-  describe 'read_vulnerability' do
+  describe 'read_security_resource' do
     let(:project) { create(:project) }
     let(:user) { create(:user) }
     let(:vulnerability) { create(:vulnerability, project: project) }
@@ -20,11 +20,11 @@ RSpec.describe VulnerabilityPolicy do
           project.add_developer(user)
         end
 
-        it { is_expected.to be_allowed(:read_vulnerability) }
+        it { is_expected.to be_allowed(:read_security_resource) }
       end
 
       context "when the current user does not have developer access to the vulnerability's project" do
-        it { is_expected.to be_disallowed(:read_vulnerability) }
+        it { is_expected.to be_disallowed(:read_security_resource) }
       end
     end
 
@@ -35,7 +35,7 @@ RSpec.describe VulnerabilityPolicy do
         project.add_developer(user)
       end
 
-      it { is_expected.to be_disallowed(:read_vulnerability) }
+      it { is_expected.to be_disallowed(:read_security_resource) }
     end
   end
 end

ee/spec/services/dashboard/projects/create_service_spec.rb

@@ -78,7 +78,7 @@ RSpec.describe Dashboard::Projects::CreateService do
         context 'with project for which user has no permission' do
           let(:input) { [project.id] }
           let(:feature) { nil }
-          let(:ability) { :read_vulnerability }
+          let(:ability) { :read_security_resource }
           let(:permission_available) { false }
 
           it 'does not check if feature is available' do