Commit d8c300c8 authored by Jarka Košanová's avatar Jarka Košanová

Merge branch '299861-compliance-framework-permissions-change' into 'master'

Remove maintainer access to administer compliance frameworks

See merge request gitlab-org/gitlab!53370
parents d018e2ad 08355b76
...@@ -183,6 +183,7 @@ The following table depicts the various user permission levels in a project. ...@@ -183,6 +183,7 @@ The following table depicts the various user permission levels in a project.
| Delete pipelines | | | | | ✓ | | Delete pipelines | | | | | ✓ |
| Delete merge request | | | | | ✓ | | Delete merge request | | | | | ✓ |
| Disable notification emails | | | | | ✓ | | Disable notification emails | | | | | ✓ |
| Administer project compliance frameworks | | | | | ✓ |
| Force push to protected branches (*4*) | | | | | | | Force push to protected branches (*4*) | | | | | |
| Remove protected branches (*4*) | | | | | | | Remove protected branches (*4*) | | | | | |
...@@ -293,6 +294,7 @@ group. ...@@ -293,6 +294,7 @@ group.
| View Billing **(FREE SAAS)** | | | | | ✓ (4) | | View Billing **(FREE SAAS)** | | | | | ✓ (4) |
| View Usage Quotas **(FREE SAAS)** | | | | | ✓ (4) | | View Usage Quotas **(FREE SAAS)** | | | | | ✓ (4) |
| Filter members by 2FA status | | | | | ✓ | | Filter members by 2FA status | | | | | ✓ |
| Administer project compliance frameworks | | | | | ✓ |
1. Groups can be set to [allow either Owners or Owners and 1. Groups can be set to [allow either Owners or Owners and
Maintainers to create subgroups](group/subgroups/index.md#creating-a-subgroup) Maintainers to create subgroups](group/subgroups/index.md#creating-a-subgroup)
......
...@@ -46,17 +46,17 @@ Compliance framework labels do not affect your project settings. ...@@ -46,17 +46,17 @@ Compliance framework labels do not affect your project settings.
> - It's [deployed behind a feature flag](../../feature_flags.md), disabled by default. > - It's [deployed behind a feature flag](../../feature_flags.md), disabled by default.
> - It's disabled on GitLab.com. > - It's disabled on GitLab.com.
> - It's not recommended for production use. > - It's not recommended for production use.
> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-custom-compliance-frameworks). **(PREMIUM ONLY)** > - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-custom-compliance-frameworks). **(PREMIUM)**
WARNING: WARNING:
This feature might not be available to you. Check the **version history** note above for details. This feature might not be available to you. Check the **version history** note above for details.
GitLab 13.8 introduces custom compliance frameworks at the group-level. A group owner can create a compliance framework label GitLab 13.9 introduces custom compliance frameworks at the group-level. A group owner can create a compliance framework label
and assign it to any number of projects within that group or sub-groups. When this feature is enabled, projects can only and assign it to any number of projects within that group or sub-groups. When this feature is enabled, projects can only
be assigned compliance framework labels that already exist within that group. be assigned compliance framework labels that already exist within that group.
If existing [Compliance frameworks](#compliance-framework) are not sufficient, you can now create If existing [Compliance frameworks](#compliance-framework) are not sufficient, project and group owners
your own. can now create their own.
New compliance framework labels can be created and updated using GraphQL. New compliance framework labels can be created and updated using GraphQL.
...@@ -320,7 +320,7 @@ Add the URL of a Jaeger server to allow your users to [easily access the Jaeger ...@@ -320,7 +320,7 @@ Add the URL of a Jaeger server to allow your users to [easily access the Jaeger
[Add Storage credentials](../../../operations/incident_management/status_page.md#sync-incidents-to-the-status-page) [Add Storage credentials](../../../operations/incident_management/status_page.md#sync-incidents-to-the-status-page)
to enable the syncing of public Issues to a [deployed status page](../../../operations/incident_management/status_page.md#create-a-status-page-project). to enable the syncing of public Issues to a [deployed status page](../../../operations/incident_management/status_page.md#create-a-status-page-project).
### Enable or disable custom compliance frameworks **(PREMIUM ONLY)** ### Enable or disable custom compliance frameworks **(PREMIUM)**
Enabling or disabling custom compliance frameworks is under development and not ready for production use. It is Enabling or disabling custom compliance frameworks is under development and not ready for production use. It is
deployed behind a feature flag that is **disabled by default**. deployed behind a feature flag that is **disabled by default**.
......
...@@ -401,7 +401,7 @@ module EE ...@@ -401,7 +401,7 @@ module EE
rule { requirements_available & owner }.enable :destroy_requirement rule { requirements_available & owner }.enable :destroy_requirement
rule { compliance_framework_available & can?(:admin_project) }.enable :admin_compliance_framework rule { compliance_framework_available & can?(:owner_access) }.enable :admin_compliance_framework
rule { status_page_available & can?(:owner_access) }.enable :mark_issue_for_publication rule { status_page_available & can?(:owner_access) }.enable :mark_issue_for_publication
rule { status_page_available & can?(:developer_access) }.enable :publish_status_page rule { status_page_available & can?(:developer_access) }.enable :publish_status_page
......
- return unless current_user.can?(:admin_compliance_framework, @project) - user_has_edit_permissions = current_user.can?(:admin_compliance_framework, @project)
.row .row
.form-group.col-md-9.gl-mb-6 .form-group.col-md-9.gl-mb-6
- if Feature.enabled?(:ff_custom_compliance_frameworks) - if Feature.enabled?(:ff_custom_compliance_frameworks)
- frameworks = @project.namespace.root_ancestor.compliance_management_frameworks - frameworks = @project.namespace.root_ancestor.compliance_management_frameworks
= f.fields_for :compliance_framework_setting, ComplianceManagement::ComplianceFramework::ProjectSettings.new do |cf| - if user_has_edit_permissions
= cf.label :framework, _('Compliance framework (optional)'), class: 'gl-font-weight-bold' = f.fields_for :compliance_framework_setting, ComplianceManagement::ComplianceFramework::ProjectSettings.new do |cf|
- if frameworks.any? = cf.label :framework, class: 'gl-font-weight-bold' do
%p.text-secondary= _('Select required regulatory standard') = _('Compliance framework (optional)')
- selected_default_framework = @project.compliance_framework_setting&.compliance_management_framework&.id - if frameworks.any?
= cf.select :framework, options_for_select(frameworks.map { |fw| [fw.name, fw.id] }, selected_default_framework), { selected: '', disabled: '', prompt: _('Choose your framework'), include_blank: _('None') }, class: 'form-control' %p.text-secondary= _('Select required regulatory standard.')
- else - selected_default_framework = @project.compliance_framework_setting&.compliance_management_framework&.id
%p.text-secondary = cf.select :framework, options_for_select(frameworks.map { |fw| [fw.name.truncate(88), fw.id] }, selected_default_framework), { selected: '', prompt: _('Choose your framework'), include_blank: _('None') }, { class: 'form-control', disabled: false }
= _("No compliance frameworks are in use. Create one using the GraphQL API.") - else
%p.form-text.text-muted
= _("No compliance frameworks are in use. Create one using the GraphQL API.")
- else
= f.fields_for :compliance_framework_setting, ComplianceManagement::ComplianceFramework::ProjectSettings.new do |cf|
= cf.label :framework, class: 'gl-font-weight-bold' do
= _('Compliance framework')
- if frameworks.any?
- selected_framework = @project.compliance_framework_setting&.compliance_management_framework&.name&.truncate(88) || _('None')
= cf.text_field :framework, value: selected_framework, class: 'form-control read-only', disabled: true
%p.form-text.text-muted
= _("Customizable by owners.")
- else
%p.form-text.text-muted
= _("No compliance frameworks are in use.")
- else - else
= f.fields_for :compliance_framework_setting, ComplianceManagement::ComplianceFramework::ProjectSettings.new do |cf| = f.fields_for :compliance_framework_setting, ComplianceManagement::ComplianceFramework::ProjectSettings.new do |cf|
= cf.label :framework, _('Compliance framework (optional)'), class: 'gl-font-weight-bold' = cf.label :framework, _('Compliance framework (optional)'), class: 'gl-font-weight-bold'
%p.text-secondary= _('Select required regulatory standard') %p.text-secondary= _('Select required regulatory standard.')
- selected_default_framework = @project.compliance_framework_setting&.compliance_management_framework&.default_framework_definition&.identifier - selected_default_framework = @project.compliance_framework_setting&.compliance_management_framework&.default_framework_definition&.identifier
= cf.select :framework, options_for_select(compliance_framework_options, selected_default_framework), { selected: '', disabled: '', prompt: _('Choose your framework'), include_blank: _('None') }, class: 'form-control' = cf.select :framework, options_for_select(compliance_framework_options, selected_default_framework), { selected: '', disabled: '', prompt: _('Choose your framework'), include_blank: _('None') }, class: 'form-control'
---
title: Disable ability for maintainers to change project compliance framework
merge_request: 53370
author:
type: changed
...@@ -568,12 +568,9 @@ RSpec.describe ProjectsController do ...@@ -568,12 +568,9 @@ RSpec.describe ProjectsController do
stub_licensed_features(compliance_framework: true) stub_licensed_features(compliance_framework: true)
end end
context 'current_user is a project maintainer' do context 'current_user is a project owner' do
let_it_be(:maintainer) { create(:user) }
before do before do
project.add_maintainer(maintainer) sign_in(project.owner)
sign_in(maintainer)
end end
it 'sets the compliance framework' do it 'sets the compliance framework' do
......
...@@ -1545,7 +1545,7 @@ RSpec.describe ProjectPolicy do ...@@ -1545,7 +1545,7 @@ RSpec.describe ProjectPolicy do
:developer | false | nil | false :developer | false | nil | false
:developer | true | nil | false :developer | true | nil | false
:maintainer | false | nil | false :maintainer | false | nil | false
:maintainer | true | nil | true :maintainer | true | nil | false
:owner | false | nil | false :owner | false | nil | false
:owner | true | nil | true :owner | true | nil | true
:admin | false | false | false :admin | false | false | false
......
...@@ -27,6 +27,40 @@ RSpec.describe 'projects/edit.html.haml' do ...@@ -27,6 +27,40 @@ RSpec.describe 'projects/edit.html.haml' do
expect(rendered).to match /Custom framework 23/ expect(rendered).to match /Custom framework 23/
end end
it 'does not include warning message' do
render
expect(rendered).not_to match /Customizable by owners./
end
it 'contains the dropdown' do
render
expect(rendered).to have_css('select[id=project_compliance_framework_setting_attributes_framework]')
expect(rendered).not_to have_css('select[id=project_compliance_framework_setting_attributes_framework][disabled="disabled"]')
end
context 'user is group maintainer' do
let_it_be(:maintainer) { create(:user) }
before do
group.add_maintainer(maintainer)
allow(view).to receive(:current_user).and_return(maintainer)
end
it 'includes warning message' do
render
expect(rendered).to match /Customizable by owners./
end
it 'disables the dropdown' do
render
expect(rendered).to have_css('input[id=project_compliance_framework_setting_attributes_framework][disabled="disabled"]')
end
end
end end
context 'group has no compliance frameworks' do context 'group has no compliance frameworks' do
......
...@@ -7501,6 +7501,12 @@ msgstr "" ...@@ -7501,6 +7501,12 @@ msgstr ""
msgid "Compliance Dashboard" msgid "Compliance Dashboard"
msgstr "" msgstr ""
msgid "Compliance framework"
msgstr ""
msgid "Compliance framework (optional)"
msgstr ""
msgid "Compliance framework (optional)" msgid "Compliance framework (optional)"
msgstr "" msgstr ""
...@@ -8835,6 +8841,9 @@ msgstr "" ...@@ -8835,6 +8841,9 @@ msgstr ""
msgid "Customizable by an administrator." msgid "Customizable by an administrator."
msgstr "" msgstr ""
msgid "Customizable by owners."
msgstr ""
msgid "Customize colors" msgid "Customize colors"
msgstr "" msgstr ""
...@@ -19954,6 +19963,9 @@ msgstr "" ...@@ -19954,6 +19963,9 @@ msgstr ""
msgid "No commits present here" msgid "No commits present here"
msgstr "" msgstr ""
msgid "No compliance frameworks are in use."
msgstr ""
msgid "No compliance frameworks are in use. Create one using the GraphQL API." msgid "No compliance frameworks are in use. Create one using the GraphQL API."
msgstr "" msgstr ""
...@@ -26372,7 +26384,7 @@ msgstr "" ...@@ -26372,7 +26384,7 @@ msgstr ""
msgid "Select projects" msgid "Select projects"
msgstr "" msgstr ""
msgid "Select required regulatory standard" msgid "Select required regulatory standard."
msgstr "" msgstr ""
msgid "Select reviewer(s)" msgid "Select reviewer(s)"
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment