Tune security findings policy

Don't allow guests of private projects see findings since they don't have an access to the repo

Tune security findings policy
Don't allow guests of private projects see findings since they don't have an access to the repo
509ff29b · Tetiana Chupryna · af69fb12 · 509ff29b · 509ff29b
Commit 509ff29b authored Dec 05, 2019 by Tetiana Chupryna
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 3 deletions

ee/app/policies/ee/project_policy.rb ee/app/policies/ee/project_policy.rb +1 -1

ee/spec/policies/project_policy_spec.rb ee/spec/policies/project_policy_spec.rb +2 -2

No files found.
--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -157,7 +157,7 @@ module EE

      rule { can?(:public_access) }.enable :read_package

-      rule { can?(:read_project) & can?(:read_build) }.enable :read_security_findings
+      rule { can?(:read_build) & can?(:download_code) }.enable :read_security_findings

      rule { can?(:developer_access) }.policy do
        enable :read_project_security_dashboard

--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -418,8 +418,8 @@ describe ProjectPolicy do
    context 'with private project' do
      let(:project) { create(:project, :private, namespace: owner.namespace) }

-      context 'with guest or above' do
-        let(:current_user) { guest }
+      context 'with reporter or above' do
+        let(:current_user) { reporter }

        it { is_expected.to be_allowed(:read_security_findings) }
      end