Restrict access to instance-level security features for reporters

Changelog: security EE: true

Restrict access to instance-level security features for reporters
Changelog: security EE: true
5deba061 · Mehmet Emin INAC · ab9e2974 · 5deba061 · 5deba061 · 5deba061
Commit 5deba061 authored Jun 28, 2021 by Mehmet Emin INAC
3 changed files
--- a/ee/app/models/instance_security_dashboard.rb
+++ b/ee/app/models/instance_security_dashboard.rb
@@ -75,6 +75,6 @@ class InstanceSecurityDashboard
  end
  def authorized_access_levels
-    Gitlab::Access.vulnerability_access_levels.values
+    Gitlab::Access.vulnerability_access_levels
  end
 end
--- a/ee/lib/ee/gitlab/access.rb
+++ b/ee/lib/ee/gitlab/access.rb
@@ -16,7 +16,7 @@ module EE
        extend ::Gitlab::Utils::Override
        def vulnerability_access_levels
-          @vulnerability_access_levels ||= options_with_owner.except('Guest')
+          @vulnerability_access_levels ||= sym_options_with_owner.values_at(:developer, :maintainer, :owner).freeze
        end
        def options_with_minimal_access

--- a/ee/spec/models/instance_security_dashboard_spec.rb
+++ b/ee/spec/models/instance_security_dashboard_spec.rb
@@ -19,7 +19,7 @@ RSpec.describe InstanceSecurityDashboard do
    user.security_dashboard_projects << [project1, project2, project3]
  end
-  subject { described_class.new(user, project_ids: project_ids) }
+  subject(:instance_dashboard) { described_class.new(user, project_ids: project_ids) }
  describe '#all_pipelines' do
    it 'returns pipelines for the projects with security reports' do
@@ -85,50 +85,64 @@ RSpec.describe InstanceSecurityDashboard do
  end
  describe '#projects' do
-    context 'when the user cannot read all resources' do
+    subject { instance_dashboard.projects }
-      context 'when the `security_and_compliance` is enabled for the project' do
+    before do
+      project1.team.truncate
+    end
+    shared_examples_for 'project permissions' do
+      context 'when the `security_and_compliance` is disabled for the project' do
        before do
-          ProjectFeature.update_all(security_and_compliance_access_level: Featurable::ENABLED)
+          ProjectFeature.update_all(security_and_compliance_access_level: Featurable::DISABLED)
        end
-        it 'returns only projects on their dashboard that they can read' do
+        it { is_expected.to be_empty }
-          expect(subject.projects).to contain_exactly(project1)
-        end
      end
-      context 'when the `security_and_compliance` is disabled for the project' do
+      context 'when the `security_and_compliance` is enabled for the project' do
        before do
-          project1.project_feature.update_column(:security_and_compliance_access_level, Featurable::DISABLED)
+          ProjectFeature.update_all(security_and_compliance_access_level: Featurable::ENABLED)
        end
-        it 'returns only projects on their dashboard that they can read' do
+        it { is_expected.to match_array(expected_projects) }
-          expect(subject.projects).to be_empty
-        end
      end
    end
-    context 'when the user can read all resources' do
+    context 'when the user is auditor' do
-      let(:project_ids) { [project1.id, project2.id] }
      let(:user) { create(:auditor) }
-      context 'when the `security_and_compliance` is enabled for the project' do
+      it_behaves_like 'project permissions' do
-        before do
+        let(:expected_projects) { [project1, project2, project3] }
-          ProjectFeature.update_all(security_and_compliance_access_level: Featurable::ENABLED)
+      end
-        end
+    end
+    context 'when the user is not an auditor' do
+      context 'when the user is project owner' do
+        let(:user) { project1.owner }
-        it "returns all projects on the user's dashboard" do
+        it_behaves_like 'project permissions' do
-          expect(subject.projects).to contain_exactly(project1, project2, project3)
+          let(:expected_projects) { project1 }
        end
      end
-      context 'when the `security_and_compliance` is disabled for the project' do
+      context 'when the user is not project owner' do
-        before do
+        shared_examples_for 'user with project role' do |as:, permitted:|
-          project1.project_feature.update_column(:security_and_compliance_access_level, Featurable::DISABLED)
+          let(:expected_projects) { permitted ? project1 : [] }
-        end
-        it "returns only the feature enabled projects on the user's dashboard" do
+          before do
-          expect(subject.projects).to contain_exactly(project2, project3)
+            project1.add_role(user, as)
+          end
+          it_behaves_like 'project permissions'
        end
+        all_roles = Gitlab::Access.sym_options.keys
+        permitted_roles = %i(developer maintainer).freeze
+        unpermitted_roles = all_roles - permitted_roles
+        permitted_roles.each { |role| it_behaves_like 'user with project role', as: role, permitted: true }
+        unpermitted_roles.each { |role| it_behaves_like 'user with project role', as: role, permitted: false }
      end
    end
  end