Commit da34c8ed authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security_299039_restrict_access_for_reporter_and_below' into 'master'

Restrict access to instance-level security features for reporters

See merge request gitlab-org/security/gitlab!1536
parents 9280393e 5deba061
...@@ -71,6 +71,6 @@ class InstanceSecurityDashboard ...@@ -71,6 +71,6 @@ class InstanceSecurityDashboard
end end
def authorized_access_levels def authorized_access_levels
Gitlab::Access.vulnerability_access_levels.values Gitlab::Access.vulnerability_access_levels
end end
end end
...@@ -16,7 +16,7 @@ module EE ...@@ -16,7 +16,7 @@ module EE
extend ::Gitlab::Utils::Override extend ::Gitlab::Utils::Override
def vulnerability_access_levels def vulnerability_access_levels
@vulnerability_access_levels ||= options_with_owner.except('Guest') @vulnerability_access_levels ||= sym_options_with_owner.values_at(:developer, :maintainer, :owner).freeze
end end
def options_with_minimal_access def options_with_minimal_access
......
...@@ -19,7 +19,7 @@ RSpec.describe InstanceSecurityDashboard do ...@@ -19,7 +19,7 @@ RSpec.describe InstanceSecurityDashboard do
user.security_dashboard_projects << [project1, project2, project3] user.security_dashboard_projects << [project1, project2, project3]
end end
subject { described_class.new(user, project_ids: project_ids) } subject(:instance_dashboard) { described_class.new(user, project_ids: project_ids) }
describe '#project_ids_with_security_reports' do describe '#project_ids_with_security_reports' do
context 'when given project IDs' do context 'when given project IDs' do
...@@ -79,50 +79,64 @@ RSpec.describe InstanceSecurityDashboard do ...@@ -79,50 +79,64 @@ RSpec.describe InstanceSecurityDashboard do
end end
describe '#projects' do describe '#projects' do
context 'when the user cannot read all resources' do subject { instance_dashboard.projects }
context 'when the `security_and_compliance` is enabled for the project' do
before do
project1.team.truncate
end
shared_examples_for 'project permissions' do
context 'when the `security_and_compliance` is disabled for the project' do
before do before do
ProjectFeature.update_all(security_and_compliance_access_level: Featurable::ENABLED) ProjectFeature.update_all(security_and_compliance_access_level: Featurable::DISABLED)
end end
it 'returns only projects on their dashboard that they can read' do it { is_expected.to be_empty }
expect(subject.projects).to contain_exactly(project1)
end
end end
context 'when the `security_and_compliance` is disabled for the project' do context 'when the `security_and_compliance` is enabled for the project' do
before do before do
project1.project_feature.update_column(:security_and_compliance_access_level, Featurable::DISABLED) ProjectFeature.update_all(security_and_compliance_access_level: Featurable::ENABLED)
end end
it 'returns only projects on their dashboard that they can read' do it { is_expected.to match_array(expected_projects) }
expect(subject.projects).to be_empty
end
end end
end end
context 'when the user can read all resources' do context 'when the user is auditor' do
let(:project_ids) { [project1.id, project2.id] }
let(:user) { create(:auditor) } let(:user) { create(:auditor) }
context 'when the `security_and_compliance` is enabled for the project' do it_behaves_like 'project permissions' do
before do let(:expected_projects) { [project1, project2, project3] }
ProjectFeature.update_all(security_and_compliance_access_level: Featurable::ENABLED) end
end end
context 'when the user is not an auditor' do
context 'when the user is project owner' do
let(:user) { project1.owner }
it "returns all projects on the user's dashboard" do it_behaves_like 'project permissions' do
expect(subject.projects).to contain_exactly(project1, project2, project3) let(:expected_projects) { project1 }
end end
end end
context 'when the `security_and_compliance` is disabled for the project' do context 'when the user is not project owner' do
before do shared_examples_for 'user with project role' do |as:, permitted:|
project1.project_feature.update_column(:security_and_compliance_access_level, Featurable::DISABLED) let(:expected_projects) { permitted ? project1 : [] }
end
it "returns only the feature enabled projects on the user's dashboard" do before do
expect(subject.projects).to contain_exactly(project2, project3) project1.add_role(user, as)
end
it_behaves_like 'project permissions'
end end
all_roles = Gitlab::Access.sym_options.keys
permitted_roles = %i(developer maintainer).freeze
unpermitted_roles = all_roles - permitted_roles
permitted_roles.each { |role| it_behaves_like 'user with project role', as: role, permitted: true }
unpermitted_roles.each { |role| it_behaves_like 'user with project role', as: role, permitted: false }
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment