Disable access to "Security & Compliance" resources

These resources will be forbidden to access if the feature is off.

Disable access to "Security & Compliance" resources
These resources will be forbidden to access if the feature is off.
5a1517a5 · Mehmet Emin INAC · Stan Hu · c65265b4 · 5a1517a5 · 5a1517a5
Commit 5a1517a5 authored Feb 04, 2021 by Mehmet Emin INAC Committed by Stan Hu Feb 10, 2021
43 changed files
--- a/ee/app/controllers/concerns/security_and_compliance_permissions.rb
+++ b/ee/app/controllers/concerns/security_and_compliance_permissions.rb
+# frozen_string_literal: true
+module SecurityAndCompliancePermissions
+  extend ActiveSupport::Concern
+  included do
+    before_action :ensure_security_and_compliance_enabled!
+  end
+  private
+  def ensure_security_and_compliance_enabled!
+    render_404 unless can?(current_user, :access_security_and_compliance, project)
+  end
+end
--- a/ee/app/controllers/ee/projects/security/configuration_controller.rb
+++ b/ee/app/controllers/ee/projects/security/configuration_controller.rb
@@ -7,6 +7,8 @@ module EE
        extend ::Gitlab::Utils::Override
        prepended do
+          include SecurityAndCompliancePermissions
          alias_method :vulnerable, :project
          before_action :ensure_security_dashboard_feature_enabled!, except: [:show]

--- a/ee/app/controllers/projects/audit_events_controller.rb
+++ b/ee/app/controllers/projects/audit_events_controller.rb
 # frozen_string_literal: true
 class Projects::AuditEventsController < Projects::ApplicationController
+  include SecurityAndCompliancePermissions
  include Gitlab::Utils::StrongMemoize
  include LicenseHelper
  include AuditEvents::EnforcesValidDateParams

--- a/ee/app/controllers/projects/dependencies_controller.rb
+++ b/ee/app/controllers/projects/dependencies_controller.rb
@@ -2,6 +2,8 @@
 module Projects
  class DependenciesController < Projects::ApplicationController
+    include SecurityAndCompliancePermissions
    before_action :authorize_read_dependency_list!
    feature_category :dependency_scanning

--- a/ee/app/controllers/projects/licenses_controller.rb
+++ b/ee/app/controllers/projects/licenses_controller.rb
@@ -2,6 +2,8 @@
 module Projects
  class LicensesController < Projects::ApplicationController
+    include SecurityAndCompliancePermissions
    before_action :authorize_read_licenses!, only: [:index]
    before_action :authorize_admin_software_license_policy!, only: [:create, :update]

--- a/ee/app/controllers/projects/on_demand_scans_controller.rb
+++ b/ee/app/controllers/projects/on_demand_scans_controller.rb
@@ -2,6 +2,8 @@
 module Projects
  class OnDemandScansController < Projects::ApplicationController
+    include SecurityAndCompliancePermissions
    before_action do
      push_frontend_feature_flag(:security_on_demand_scans_site_validation, @project, default_enabled: :yaml)
      push_frontend_feature_flag(:security_dast_site_profiles_additional_fields, @project, default_enabled: :yaml)

--- a/ee/app/controllers/projects/security/api_fuzzing_configuration_controller.rb
+++ b/ee/app/controllers/projects/security/api_fuzzing_configuration_controller.rb
@@ -3,6 +3,7 @@
 module Projects
  module Security
    class ApiFuzzingConfigurationController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
      include SecurityDashboardsPermissions
      alias_method :vulnerable, :project

--- a/ee/app/controllers/projects/security/corpus_management_controller.rb
+++ b/ee/app/controllers/projects/security/corpus_management_controller.rb
@@ -3,6 +3,8 @@
 module Projects
  module Security
    class CorpusManagementController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
      before_action do
        render_404 unless Feature.enabled?(:corpus_management, @project, default_enabled: :yaml)
        authorize_read_coverage_fuzzing!

--- a/ee/app/controllers/projects/security/dashboard_controller.rb
+++ b/ee/app/controllers/projects/security/dashboard_controller.rb
@@ -3,6 +3,7 @@
 module Projects
  module Security
    class DashboardController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
      include SecurityDashboardsPermissions
      alias_method :vulnerable, :project

--- a/ee/app/controllers/projects/security/dast_profiles_controller.rb
+++ b/ee/app/controllers/projects/security/dast_profiles_controller.rb
@@ -3,6 +3,8 @@
 module Projects
  module Security
    class DastProfilesController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
      before_action do
        authorize_read_on_demand_scans!
        push_frontend_feature_flag(:security_on_demand_scans_site_validation, @project, default_enabled: :yaml)

--- a/ee/app/controllers/projects/security/dast_scanner_profiles_controller.rb
+++ b/ee/app/controllers/projects/security/dast_scanner_profiles_controller.rb
@@ -3,6 +3,8 @@
 module Projects
  module Security
    class DastScannerProfilesController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
      before_action :authorize_read_on_demand_scans!
      feature_category :dynamic_application_security_testing

--- a/ee/app/controllers/projects/security/dast_site_profiles_controller.rb
+++ b/ee/app/controllers/projects/security/dast_site_profiles_controller.rb
@@ -3,6 +3,8 @@
 module Projects
  module Security
    class DastSiteProfilesController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
      before_action do
        authorize_read_on_demand_scans!
        push_frontend_feature_flag(:security_dast_site_profiles_additional_fields, @project, default_enabled: :yaml)

--- a/ee/app/controllers/projects/security/discover_controller.rb
+++ b/ee/app/controllers/projects/security/discover_controller.rb
@@ -3,6 +3,8 @@
 module Projects
  module Security
    class DiscoverController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
      feature_category :navigation
      def show

--- a/ee/app/controllers/projects/security/network_policies_controller.rb
+++ b/ee/app/controllers/projects/security/network_policies_controller.rb
@@ -3,6 +3,8 @@
 module Projects
  module Security
    class NetworkPoliciesController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
      POLLING_INTERVAL = 5_000
      before_action :authorize_read_threat_monitoring!

--- a/ee/app/controllers/projects/security/sast_configuration_controller.rb
+++ b/ee/app/controllers/projects/security/sast_configuration_controller.rb
@@ -3,6 +3,7 @@
 module Projects
  module Security
    class SastConfigurationController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
      include CreatesCommit
      include SecurityDashboardsPermissions

--- a/ee/app/controllers/projects/security/scanned_resources_controller.rb
+++ b/ee/app/controllers/projects/security/scanned_resources_controller.rb
@@ -3,6 +3,8 @@
 module Projects
  module Security
    class ScannedResourcesController < ::Projects::ApplicationController
+      include SecurityAndCompliancePermissions
      before_action :authorize_read_vulnerability!
      before_action :scanned_resources

--- a/ee/app/controllers/projects/security/vulnerabilities/notes_controller.rb
+++ b/ee/app/controllers/projects/security/vulnerabilities/notes_controller.rb
@@ -6,6 +6,7 @@ module Projects
      class NotesController < Projects::ApplicationController
        extend ::Gitlab::Utils::Override
+        include SecurityAndCompliancePermissions
        include SecurityDashboardsPermissions
        include NotesActions
        include NotesHelper

--- a/ee/app/controllers/projects/security/vulnerabilities_controller.rb
+++ b/ee/app/controllers/projects/security/vulnerabilities_controller.rb
@@ -3,6 +3,7 @@
 module Projects
  module Security
    class VulnerabilitiesController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
      include SecurityDashboardsPermissions
      include IssuableActions
      include RendersNotes

--- a/ee/app/controllers/projects/security/vulnerability_report_controller.rb
+++ b/ee/app/controllers/projects/security/vulnerability_report_controller.rb
@@ -3,6 +3,7 @@
 module Projects
  module Security
    class VulnerabilityReportController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
      include SecurityDashboardsPermissions
      before_action do

--- a/ee/app/controllers/projects/security/waf_anomalies_controller.rb
+++ b/ee/app/controllers/projects/security/waf_anomalies_controller.rb
@@ -3,6 +3,8 @@
 module Projects
  module Security
    class WafAnomaliesController < Projects::ApplicationController
+      include SecurityAndCompliancePermissions
      POLLING_INTERVAL = 5_000
      before_action :authorize_read_waf_anomalies!

--- a/ee/app/controllers/projects/threat_monitoring_controller.rb
+++ b/ee/app/controllers/projects/threat_monitoring_controller.rb
@@ -2,6 +2,8 @@
 module Projects
  class ThreatMonitoringController < Projects::ApplicationController
+    include SecurityAndCompliancePermissions
    before_action :authorize_read_threat_monitoring!
    before_action do
      push_frontend_feature_flag(:threat_monitoring_alerts, project)

--- a/ee/spec/controllers/projects/dependencies_controller_spec.rb
+++ b/ee/spec/controllers/projects/dependencies_controller_spec.rb
@@ -6,20 +6,23 @@ RSpec.describe Projects::DependenciesController do
  describe 'GET #index' do
    let_it_be(:developer) { create(:user) }
    let_it_be(:guest) { create(:user) }
+    let_it_be(:project) { create(:project, :repository, :private) }
    let(:params) { { namespace_id: project.namespace, project_id: project } }
    before do
+      project.add_developer(developer)
+      project.add_guest(guest)
      sign_in(user)
    end
-    context 'with authorized user' do
+    include_context '"Security & Compliance" permissions' do
-      let_it_be(:project) { create(:project, :repository, :public) }
+      let(:user) { developer }
+      let(:valid_request) { get :index, params: params }
-      before do
+    end
-        project.add_developer(developer)
-        project.add_guest(guest)
-      end
+    context 'with authorized user' do
      context 'when feature is available' do
        before do
          stub_licensed_features(dependency_scanning: true, license_scanning: true, security_dashboard: true)
@@ -138,14 +141,6 @@ RSpec.describe Projects::DependenciesController do
                  expect(json_response['dependencies'].length).to eq(3)
                end
              end
-              context 'without authorized user to see vulnerabilities' do
-                let(:user) { guest }
-                it 'return vulnerable dependencies' do
-                  expect(json_response['dependencies']).to be_empty
-                end
-              end
            end
            context 'with pagination params' do
@@ -247,7 +242,6 @@ RSpec.describe Projects::DependenciesController do
    end
    context 'with unauthorized user' do
-      let(:project) { create(:project, :repository, :private) }
      let(:user) { guest }
      before do

--- a/ee/spec/controllers/projects/licenses_controller_spec.rb
+++ b/ee/spec/controllers/projects/licenses_controller_spec.rb
@@ -13,6 +13,14 @@ RSpec.describe Projects::LicensesController do
      sign_in(user)
    end
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { get :index, params: params }
+      before_request do
+        project.add_reporter(user)
+      end
+    end
    context 'with authorized user' do
      context 'when feature is available' do
        before do
@@ -347,6 +355,7 @@ RSpec.describe Projects::LicensesController do
  end
  describe "POST #create" do
+    let(:current_user) { create(:user) }
    let(:project) { create(:project, :repository, :private) }
    let(:mit_license) { create(:software_license, :mit) }
    let(:default_params) do
@@ -360,9 +369,16 @@ RSpec.describe Projects::LicensesController do
      }
    end
-    context "when authenticated" do
+    include_context '"Security & Compliance" permissions' do
-      let(:current_user) { create(:user) }
+      let(:valid_request) { post :create, xhr: true, params: default_params }
+      before_request do
+        project.add_reporter(current_user)
+        sign_in(current_user)
+      end
+    end
+    context "when authenticated" do
      before do
        stub_licensed_features(license_scanning: true)
        sign_in(current_user)
@@ -465,6 +481,7 @@ RSpec.describe Projects::LicensesController do
  end
  describe "PATCH #update" do
+    let(:current_user) { create(:user) }
    let(:project) { create(:project, :repository, :private) }
    let(:software_license_policy) { create(:software_license_policy, project: project, software_license: mit_license) }
    let(:mit_license) { create(:software_license, :mit) }
@@ -478,9 +495,16 @@ RSpec.describe Projects::LicensesController do
      }
    end
-    context "when authenticated" do
+    include_context '"Security & Compliance" permissions' do
-      let(:current_user) { create(:user) }
+      let(:valid_request) { post :create, xhr: true, params: default_params }
+      before_request do
+        project.add_reporter(current_user)
+        sign_in(current_user)
+      end
+    end
+    context "when authenticated" do
      before do
        stub_licensed_features(license_scanning: true)
        sign_in(current_user)

--- a/ee/spec/controllers/projects/security/api_fuzzing_configuration_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/api_fuzzing_configuration_controller_spec.rb
@@ -8,14 +8,23 @@ RSpec.describe Projects::Security::ApiFuzzingConfigurationController do
  let_it_be(:developer) { create(:user) }
  let_it_be(:guest) { create(:user) }
+  subject(:request) { get :show, params: { namespace_id: project.namespace, project_id: project } }
  before_all do
    group.add_developer(developer)
    group.add_guest(guest)
  end
-  describe 'GET #show' do
+  include_context '"Security & Compliance" permissions' do
-    subject(:request) { get :show, params: { namespace_id: project.namespace, project_id: project } }
+    let(:valid_request) { request }
+    before_request do
+      stub_licensed_features(security_dashboard: true)
+      sign_in(developer)
+    end
+  end
+  describe 'GET #show' do
    render_views
    it_behaves_like SecurityDashboardsPermissions do

--- a/ee/spec/controllers/projects/security/configuration_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/configuration_controller_spec.rb
@@ -3,8 +3,14 @@
 require 'spec_helper'
 RSpec.describe Projects::Security::ConfigurationController do
-  let(:group) { create(:group) }
+  let_it_be(:group) { create(:group) }
-  let(:project) { create(:project, :repository, namespace: group) }
+  let_it_be(:user) { create(:user) }
+  let_it_be_with_refind(:project) { create(:project, :repository, namespace: group) }
+  before do
+    stub_licensed_features(security_dashboard: true)
+    group.add_developer(user)
+  end
  describe 'GET #show' do
    using RSpec::Parameterized::TableSyntax
@@ -34,6 +40,10 @@ RSpec.describe Projects::Security::ConfigurationController do
        sign_in(user)
      end
+      include_context '"Security & Compliance" permissions' do
+        let(:valid_request) { request }
+      end
      it 'responds with the correct status' do
        request
@@ -134,7 +144,6 @@ RSpec.describe Projects::Security::ConfigurationController do
    end
    before do
-      stub_licensed_features(security_dashboard: true)
      project.add_maintainer(maintainer)
      project.add_developer(developer)
      sign_in(user)

--- a/ee/spec/controllers/projects/security/dashboard_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/dashboard_controller_spec.rb
@@ -7,6 +7,19 @@ RSpec.describe Projects::Security::DashboardController do
  let_it_be(:project) { create(:project, :repository, :public, namespace: group) }
  let_it_be(:user)    { create(:user) }
+  before do
+    group.add_developer(user)
+    stub_licensed_features(security_dashboard: true)
+  end
+  include_context '"Security & Compliance" permissions' do
+    let(:valid_request) { get :index, params: { namespace_id: project.namespace, project_id: project } }
+    before_request do
+      sign_in(user)
+    end
+  end
  it_behaves_like SecurityDashboardsPermissions do
    let(:vulnerable) { project }
@@ -15,11 +28,6 @@ RSpec.describe Projects::Security::DashboardController do
    end
  end
-  before do
-    group.add_developer(user)
-    stub_licensed_features(security_dashboard: true)
-  end
  describe 'GET #index' do
    let(:pipeline) { create(:ci_pipeline, sha: project.commit.id, project: project, user: user) }

--- a/ee/spec/controllers/projects/security/network_policies_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/network_policies_controller_spec.rb
@@ -54,10 +54,18 @@ RSpec.describe Projects::Security::NetworkPoliciesController do
  end
  describe 'GET #summary' do
-    subject { get :summary, params: action_params, format: :json }
+    subject(:request) { get :summary, params: action_params, format: :json }
    let_it_be(:kubernetes_namespace) { environment.deployment_namespace }
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { request }
+      before_request do
+        group.add_developer(user)
+      end
+    end
    context 'with authorized user' do
      before do
        group.add_developer(user)
@@ -160,7 +168,15 @@ RSpec.describe Projects::Security::NetworkPoliciesController do
  end
  describe 'GET #index' do
-    subject { get :index, params: action_params, format: :json }
+    subject(:request) { get :index, params: action_params, format: :json }
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { request }
+      before_request do
+        group.add_developer(user)
+      end
+    end
    context 'with authorized user' do
      let(:service) { instance_double('NetworkPolicies::ResourcesService', execute: ServiceResponse.success(payload: [policy])) }
@@ -198,7 +214,7 @@ RSpec.describe Projects::Security::NetworkPoliciesController do
  end
  describe 'POST #create' do
-    subject { post :create, params: action_params.merge(manifest: manifest), format: :json }
+    subject(:request) { post :create, params: action_params.merge(manifest: manifest), format: :json }
    let(:service) { instance_double('NetworkPolicies::DeployResourceService', execute: ServiceResponse.success(payload: policy)) }
    let(:policy) do
@@ -210,6 +226,14 @@ RSpec.describe Projects::Security::NetworkPoliciesController do
      )
    end
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { request }
+      before_request do
+        group.add_developer(user)
+      end
+    end
    context 'with authorized user' do
      before do
        group.add_developer(user)
@@ -240,7 +264,7 @@ RSpec.describe Projects::Security::NetworkPoliciesController do
  end
  describe 'PUT #update' do
-    subject { put :update, params: action_params.merge(id: 'example-policy', manifest: manifest, enabled: enabled), as: :json }
+    subject(:request) { put :update, params: action_params.merge(id: 'example-policy', manifest: manifest, enabled: enabled), as: :json }
    let(:enabled) { nil }
    let(:service) { instance_double('NetworkPolicies::DeployResourceService', execute: ServiceResponse.success(payload: policy)) }
@@ -253,6 +277,14 @@ RSpec.describe Projects::Security::NetworkPoliciesController do
      )
    end
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { request }
+      before_request do
+        group.add_developer(user)
+      end
+    end
    context 'with authorized user' do
      before do
        group.add_developer(user)
@@ -283,10 +315,18 @@ RSpec.describe Projects::Security::NetworkPoliciesController do
  end
  describe 'DELETE #destroy' do
-    subject { delete :destroy, params: action_params.merge(id: 'example-policy', manifest: manifest), format: :json }
+    subject(:request) { delete :destroy, params: action_params.merge(id: 'example-policy', manifest: manifest), format: :json }
    let(:service) { instance_double('NetworkPolicies::DeleteResourceService', execute: ServiceResponse.success) }
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { request }
+      before_request do
+        group.add_developer(user)
+      end
+    end
    context 'with authorized user' do
      before do
        group.add_developer(user)

--- a/ee/spec/controllers/projects/security/sast_configuration_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/sast_configuration_controller_spec.rb
@@ -4,7 +4,7 @@ require 'spec_helper'
 RSpec.describe Projects::Security::SastConfigurationController do
  let_it_be(:group) { create(:group) }
-  let_it_be(:project) { create(:project, namespace: group) }
+  let_it_be(:project) { create(:project, :repository, namespace: group) }
  let_it_be(:developer) { create(:user) }
  let_it_be(:guest) { create(:user) }
@@ -13,11 +13,23 @@ RSpec.describe Projects::Security::SastConfigurationController do
    group.add_guest(guest)
  end
+  before do
+    stub_licensed_features(security_dashboard: true)
+  end
  describe 'GET #show' do
    subject(:request) { get :show, params: { namespace_id: project.namespace, project_id: project } }
    render_views
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { request }
+      before_request do
+        sign_in(developer)
+      end
+    end
    it_behaves_like SecurityDashboardsPermissions do
      let(:vulnerable) { project }
      let(:security_dashboard_action) { request }
@@ -25,8 +37,6 @@ RSpec.describe Projects::Security::SastConfigurationController do
    context 'with authorized user' do
      before do
-        stub_licensed_features(security_dashboard: true)
        sign_in(developer)
      end
@@ -58,8 +68,6 @@ RSpec.describe Projects::Security::SastConfigurationController do
    context 'with unauthorized user' do
      before do
-        stub_licensed_features(security_dashboard: true)
        sign_in(guest)
      end
@@ -72,39 +80,38 @@ RSpec.describe Projects::Security::SastConfigurationController do
  end
  describe 'POST #create' do
-    let_it_be(:project) { create(:project, :repository, namespace: group) }
+    let(:params) do
+      {
+        namespace_id: project.namespace.to_param,
+        project_id: project.to_param,
+        sast_configuration: {
+          secure_analyzers_prefix: 'localhost:5000/analyzers',
+          sast_analyzer_image_tag: '1',
+          sast_excluded_paths: 'docs',
+          stage: 'security',
+          search_max_depth: 11
+        },
+        format: :json
+      }
+    end
-    before do
+    subject(:request) { post :create, params: params, as: :json }
-      stub_licensed_features(security_dashboard: true)
+    before do
      sign_in(developer)
    end
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { request }
+    end
    context 'with valid params' do
      it 'returns the new merge request url' do
-        params = {
+        request
-          secure_analyzers_prefix: 'localhost:5000/analyzers',
-          sast_analyzer_image_tag: '1',
-          sast_excluded_paths: 'docs',
-          stage: 'security',
-          search_max_depth: 11
-        }
-        create_sast_configuration user: developer, project: project, params: params
        expect(json_response["message"]).to eq("success")
        expect(json_response["filePath"]).to match(/#{Gitlab::Routing.url_helpers.project_new_merge_request_url(project, {})}(.*)description(.*)source_branch/)
      end
    end
  end
-  def create_sast_configuration(user:, project:, params:)
-    post_params = {
-      namespace_id: project.namespace.to_param,
-      project_id: project.to_param,
-      sast_configuration: params,
-      format: :json
-    }
-    post :create, params: post_params, as: :json
-  end
 end
--- a/ee/spec/controllers/projects/security/scanned_resources_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/scanned_resources_controller_spec.rb
@@ -16,13 +16,18 @@ RSpec.describe Projects::Security::ScannedResourcesController do
  end
  describe 'GET index' do
-    let(:subject) { get :index, params: action_params, format: :csv }
    let(:parsed_csv_data) { CSV.parse(subject.body, headers: true) }
+    subject(:request) { get :index, params: action_params, format: :csv }
    before do
      project.add_developer(user)
    end
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { request }
+    end
    context 'when DAST security scan is found' do
      before do
        create(:ci_build, :success, name: 'dast_job', pipeline: pipeline, project: project) do |job|

--- a/ee/spec/controllers/projects/security/vulnerabilities/notes_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/vulnerabilities/notes_controller_spec.rb
@@ -9,14 +9,6 @@ RSpec.describe Projects::Security::Vulnerabilities::NotesController do
  let!(:note) { create(:note, noteable: vulnerability, project: project) }
-  it_behaves_like SecurityDashboardsPermissions do
-    let(:vulnerable) { project }
-    let(:security_dashboard_action) do
-      get :index, params: { namespace_id: project.namespace, project_id: project, vulnerability_id: vulnerability }
-    end
-  end
  before do
    stub_licensed_features(security_dashboard: true)
  end
@@ -31,6 +23,15 @@ RSpec.describe Projects::Security::Vulnerabilities::NotesController do
      sign_in(user)
    end
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { view_all_notes }
+    end
+    it_behaves_like SecurityDashboardsPermissions do
+      let(:vulnerable) { project }
+      let(:security_dashboard_action) { view_all_notes }
+    end
    it 'responds with array of notes' do
      view_all_notes
@@ -63,6 +64,10 @@ RSpec.describe Projects::Security::Vulnerabilities::NotesController do
      sign_in(user)
    end
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { create_note }
+    end
    context 'when note is empty' do
      let(:note_params) { { note: '' } }
@@ -156,6 +161,10 @@ RSpec.describe Projects::Security::Vulnerabilities::NotesController do
      sign_in(user)
    end
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { update_note }
+    end
    context 'when user is not an author of the note' do
      it 'returns status 404' do
        update_note
@@ -201,6 +210,10 @@ RSpec.describe Projects::Security::Vulnerabilities::NotesController do
      sign_in(user)
    end
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { delete_note }
+    end
    context 'when user is not an author of the note' do
      it 'does not delete the note' do
        expect { delete_note }.not_to change { Note.count }
@@ -229,6 +242,7 @@ RSpec.describe Projects::Security::Vulnerabilities::NotesController do
  end
  describe 'POST toggle_award_emoji' do
+    let(:emoji_name) { 'thumbsup' }
    let(:request_params) do
      {
        id: note,
@@ -246,7 +260,9 @@ RSpec.describe Projects::Security::Vulnerabilities::NotesController do
      project.add_developer(user)
    end
-    let(:emoji_name) { 'thumbsup' }
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { toggle_award_emoji }
+    end
    it 'creates the award emoji' do
      expect { toggle_award_emoji }.to change { note.award_emoji.count }.by(1)

--- a/ee/spec/controllers/projects/security/vulnerabilities_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/vulnerabilities_controller_spec.rb
@@ -7,20 +7,22 @@ RSpec.describe Projects::Security::VulnerabilitiesController do
  let_it_be(:project) { create(:project, :repository, :public, namespace: group) }
  let_it_be(:user)    { create(:user) }
+  render_views
  before do
    group.add_developer(user)
    stub_licensed_features(security_dashboard: true)
+    sign_in(user)
  end
  describe 'GET #show' do
    let_it_be(:pipeline) { create(:ci_pipeline, sha: project.commit.id, project: project, user: user) }
    let_it_be(:vulnerability) { create(:vulnerability, project: project) }
-    render_views
+    subject(:show_vulnerability) { get :show, params: { namespace_id: project.namespace, project_id: project, id: vulnerability.id } }
-    def show_vulnerability
+    include_context '"Security & Compliance" permissions' do
-      sign_in(user)
+      let(:valid_request) { show_vulnerability }
-      get :show, params: { namespace_id: project.namespace, project_id: project, id: vulnerability.id }
    end
    context "when there's an attached pipeline" do
@@ -58,11 +60,10 @@ RSpec.describe Projects::Security::VulnerabilitiesController do
    let_it_be(:vulnerability) { create(:vulnerability, project: project, author: user) }
    let_it_be(:discussion_note) { create(:discussion_note_on_vulnerability, noteable: vulnerability, project: vulnerability.project) }
-    render_views
+    subject(:show_vulnerability_discussion_list) { get :discussions, params: { namespace_id: project.namespace, project_id: project, id: vulnerability } }
-    def show_vulnerability_discussion_list
+    include_context '"Security & Compliance" permissions' do
-      sign_in(user)
+      let(:valid_request) { show_vulnerability_discussion_list }
-      get :discussions, params: { namespace_id: project.namespace, project_id: project, id: vulnerability }
    end
    it 'renders discussions' do
@@ -70,7 +71,6 @@ RSpec.describe Projects::Security::VulnerabilitiesController do
      expect(response).to have_gitlab_http_status(:ok)
      expect(response).to match_response_schema('entities/discussions')
      expect(json_response.pluck('id')).to eq([discussion_note.discussion_id])
    end
  end

--- a/ee/spec/controllers/projects/security/vulnerability_report_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/vulnerability_report_controller_spec.rb
@@ -7,6 +7,19 @@ RSpec.describe Projects::Security::VulnerabilityReportController do
  let_it_be(:project) { create(:project, :repository, :public, namespace: group) }
  let_it_be(:user)    { create(:user) }
+  before do
+    group.add_developer(user)
+    stub_licensed_features(security_dashboard: true)
+  end
+  include_context '"Security & Compliance" permissions' do
+    let(:valid_request) { get :index, params: { namespace_id: project.namespace, project_id: project } }
+    before_request do
+      sign_in(user)
+    end
+  end
  it_behaves_like SecurityDashboardsPermissions do
    let(:vulnerable) { project }
@@ -15,11 +28,6 @@ RSpec.describe Projects::Security::VulnerabilityReportController do
    end
  end
-  before do
-    group.add_developer(user)
-    stub_licensed_features(security_dashboard: true)
-  end
  describe 'GET #index' do
    let(:pipeline) { create(:ci_pipeline, sha: project.commit.id, project: project, user: user) }

--- a/ee/spec/controllers/projects/security/waf_anomalies_controller_spec.rb
+++ b/ee/spec/controllers/projects/security/waf_anomalies_controller_spec.rb
@@ -15,7 +15,7 @@ RSpec.describe Projects::Security::WafAnomaliesController do
  let(:es_client) { nil }
  describe 'GET #summary' do
-    subject { get :summary, params: action_params, format: :json }
+    subject(:request) { get :summary, params: action_params, format: :json }
    before do
      stub_licensed_features(threat_monitoring: true)
@@ -28,6 +28,14 @@ RSpec.describe Projects::Security::WafAnomaliesController do
      end
    end
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { request }
+      before_request do
+        group.add_developer(user)
+      end
+    end
    context 'with authorized user' do
      before do
        group.add_developer(user)

--- a/ee/spec/features/projects/audit_events_spec.rb
+++ b/ee/spec/features/projects/audit_events_spec.rb
@@ -42,6 +42,10 @@ RSpec.describe 'Projects > Audit Events', :js do
      allow(LicenseHelper).to receive(:show_promotions?).and_return(true)
    end
+    include_context '"Security & Compliance" permissions' do
+      let(:response) { inspect_requests { visit project_audit_events_path(project) }.first }
+    end
    it 'returns 200' do
      reqs = inspect_requests do
        visit project_audit_events_path(project)

--- a/ee/spec/features/promotion_spec.rb
+++ b/ee/spec/features/promotion_spec.rb
@@ -266,6 +266,10 @@ RSpec.describe 'Promotions', :js do
      sign_in(user)
    end
+    include_context '"Security & Compliance" permissions' do
+      let(:response) { inspect_requests { visit project_audit_events_path(project) }.first }
+    end
    it 'appears on the page' do
      visit project_audit_events_path(project)

--- a/ee/spec/requests/projects/on_demand_scans_controller_spec.rb
+++ b/ee/spec/requests/projects/on_demand_scans_controller_spec.rb
@@ -9,6 +9,15 @@ RSpec.describe Projects::OnDemandScansController, type: :request do
  let(:user) { create(:user) }
  shared_examples 'on-demand scans page' do
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { get path }
+      before_request do
+        project.add_developer(user)
+        login_as(user)
+      end
+    end
    context 'feature available' do
      before do
        stub_licensed_features(security_on_demand_scans: true)

--- a/ee/spec/requests/projects/security/corpus_management_controller_spec.rb
+++ b/ee/spec/requests/projects/security/corpus_management_controller_spec.rb
@@ -7,16 +7,24 @@ RSpec.describe Projects::Security::CorpusManagementController, type: :request do
  let(:user) { create(:user) }
  describe 'GET #show' do
-    context 'feature available' do
+    before do
-      before do
+      stub_licensed_features(coverage_fuzzing: true)
-        stub_licensed_features(coverage_fuzzing: true)
+      login_as(user)
+    end
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { get project_security_configuration_corpus_management_path(project) }
+      before_request do
+        project.add_developer(user)
      end
+    end
+    context 'feature available' do
      context 'user authorized' do
        before do
          project.add_developer(user)
-          login_as(user)
        end
        it 'can access page' do
@@ -29,8 +37,6 @@ RSpec.describe Projects::Security::CorpusManagementController, type: :request do
      context 'user not authorized' do
        before do
          project.add_guest(user)
-          login_as(user)
        end
        it 'sees a 404 error' do
@@ -43,14 +49,13 @@ RSpec.describe Projects::Security::CorpusManagementController, type: :request do
    context 'feature not available' do
      before do
-        project.add_developer(user)
+        stub_licensed_features(coverage_fuzzing: false)
-        login_as(user)
+        project.add_developer(user)
      end
      context 'license doesnt\'t support the feature' do
        it 'sees a 404 error' do
-          stub_licensed_features(coverage_fuzzing: false)
          get project_security_configuration_corpus_management_path(project)
          expect(response).to have_gitlab_http_status(:not_found)

--- a/ee/spec/requests/projects/security/dast_profiles_controller_spec.rb
+++ b/ee/spec/requests/projects/security/dast_profiles_controller_spec.rb
@@ -7,16 +7,24 @@ RSpec.describe Projects::Security::DastProfilesController, type: :request do
  let(:user) { create(:user) }
  describe 'GET #index' do
-    context 'feature available' do
+    before do
-      before do
+      stub_licensed_features(security_on_demand_scans: true)
-        stub_licensed_features(security_on_demand_scans: true)
+      login_as(user)
+    end
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { get project_security_configuration_dast_profiles_path(project) }
+      before_request do
+        project.add_developer(user)
      end
+    end
+    context 'feature available' do
      context 'user authorized' do
        before do
          project.add_developer(user)
-          login_as(user)
        end
        it 'can access page' do
@@ -29,8 +37,6 @@ RSpec.describe Projects::Security::DastProfilesController, type: :request do
      context 'user not authorized' do
        before do
          project.add_guest(user)
-          login_as(user)
        end
        it 'sees a 404 error' do
@@ -43,14 +49,12 @@ RSpec.describe Projects::Security::DastProfilesController, type: :request do
    context 'feature not available' do
      before do
+        stub_licensed_features(security_on_demand_scans: false)
        project.add_developer(user)
-        login_as(user)
      end
      context 'license doesnt\'t support the feature' do
        it 'sees a 404 error' do
-          stub_licensed_features(security_on_demand_scans: false)
          get project_security_configuration_dast_profiles_path(project)
          expect(response).to have_gitlab_http_status(:not_found)

--- a/ee/spec/requests/projects/security/dast_scanner_profiles_controller_spec.rb
+++ b/ee/spec/requests/projects/security/dast_scanner_profiles_controller_spec.rb
@@ -24,6 +24,15 @@ RSpec.describe Projects::Security::DastScannerProfilesController, type: :request
  end
  shared_examples 'a GET request' do
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { get path }
+      before_request do
+        project.add_developer(user)
+        login_as(user)
+      end
+    end
    context 'feature available' do
      include_context 'on-demand scans feature available'

--- a/ee/spec/requests/projects/security/dast_site_profiles_controller_spec.rb
+++ b/ee/spec/requests/projects/security/dast_site_profiles_controller_spec.rb
@@ -17,6 +17,15 @@ RSpec.describe Projects::Security::DastSiteProfilesController, type: :request do
  end
  shared_examples 'a GET request' do
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { get path }
+      before_request do
+        with_feature_available
+        with_user_authorized
+      end
+    end
    context 'feature available' do
      before do
        with_feature_available

--- a/ee/spec/requests/projects/security/scanned_resources_controller_spec.rb
+++ b/ee/spec/requests/projects/security/scanned_resources_controller_spec.rb
@@ -12,7 +12,7 @@ RSpec.describe Projects::Security::ScannedResourcesController, type: :request do
    let_it_be(:pipeline_id) { pipeline.id }
    let(:parsed_csv_data) { CSV.parse(response.body, headers: true) }
-    subject { get project_security_scanned_resources_path(project, :csv, pipeline_id: pipeline_id) }
+    subject(:request) { get project_security_scanned_resources_path(project, :csv, pipeline_id: pipeline_id) }
    before do
      stub_licensed_features(dast: true, security_dashboard: true)
@@ -20,6 +20,14 @@ RSpec.describe Projects::Security::ScannedResourcesController, type: :request do
      login_as(user)
    end
+    include_context '"Security & Compliance" permissions' do
+      let(:valid_request) { request }
+      before_request do
+        project.add_developer(user)
+      end
+    end
    shared_examples 'returns a 404' do
      it 'will return a 404' do
        subject

--- a/ee/spec/support/shared_contexts/security_and_compliance_permissions_shared_context.rb
+++ b/ee/spec/support/shared_contexts/security_and_compliance_permissions_shared_context.rb
+# frozen_string_literal: true
+RSpec.shared_context '"Security & Compliance" permissions' do
+  let(:project_instance) { an_instance_of(Project) }
+  let(:user_instance) { an_instance_of(User) }
+  let(:before_request_defined) { false }
+  let(:valid_request) {}
+  def self.before_request(&block)
+    return unless block
+    let(:before_request_call) { instance_exec(&block) }
+    let(:before_request_defined) { true }
+  end
+  before do
+    allow(Ability).to receive(:allowed?).and_call_original
+    allow(Ability).to receive(:allowed?).with(user_instance, :access_security_and_compliance, project_instance).and_return(true)
+  end
+  context 'when the "Security & Compliance" feature is disabled' do
+    subject { response }
+    before do
+      before_request_call if before_request_defined
+      allow(Ability).to receive(:allowed?).with(user_instance, :access_security_and_compliance, project_instance).and_return(false)
+      valid_request
+    end
+    it { is_expected.to have_gitlab_http_status(:not_found) }
+  end
+end
--- a/spec/controllers/projects/security/configuration_controller_spec.rb
+++ b/spec/controllers/projects/security/configuration_controller_spec.rb
@@ -7,6 +7,8 @@ RSpec.describe Projects::Security::ConfigurationController do
  let(:user) { create(:user) }
  before do
+    allow(controller).to receive(:ensure_security_and_compliance_enabled!)
    sign_in(user)
  end