Merge branch 'security_299039_restrict_access_for_reporter_and_below' into 'master'

Restrict access to instance-level security features for reporters See merge request gitlab-org/security/gitlab!1536

Merge branch 'security_299039_restrict_access_for_reporter_and_below' into 'master'
Restrict access to instance-level security features for reporters See merge request gitlab-org/security/gitlab!1536
da34c8ed · GitLab Release Tools Bot · 9280393e · 5deba061 · da34c8ed · da34c8ed
Commit da34c8ed authored Jul 29, 2021 by GitLab Release Tools Bot
3 changed files
--- a/ee/app/models/instance_security_dashboard.rb
+++ b/ee/app/models/instance_security_dashboard.rb
@@ -71,6 +71,6 @@ class InstanceSecurityDashboard
  end
  def authorized_access_levels
-    Gitlab::Access.vulnerability_access_levels.values
+    Gitlab::Access.vulnerability_access_levels
  end
 end
--- a/ee/lib/ee/gitlab/access.rb
+++ b/ee/lib/ee/gitlab/access.rb
@@ -16,7 +16,7 @@ module EE
        extend ::Gitlab::Utils::Override
        def vulnerability_access_levels
-          @vulnerability_access_levels ||= options_with_owner.except('Guest')
+          @vulnerability_access_levels ||= sym_options_with_owner.values_at(:developer, :maintainer, :owner).freeze
        end
        def options_with_minimal_access

--- a/ee/spec/models/instance_security_dashboard_spec.rb
+++ b/ee/spec/models/instance_security_dashboard_spec.rb
@@ -19,7 +19,7 @@ RSpec.describe InstanceSecurityDashboard do
    user.security_dashboard_projects << [project1, project2, project3]
  end
-  subject { described_class.new(user, project_ids: project_ids) }
+  subject(:instance_dashboard) { described_class.new(user, project_ids: project_ids) }
  describe '#project_ids_with_security_reports' do
    context 'when given project IDs' do
@@ -79,50 +79,64 @@ RSpec.describe InstanceSecurityDashboard do
  end
  describe '#projects' do
-    context 'when the user cannot read all resources' do
+    subject { instance_dashboard.projects }
-      context 'when the `security_and_compliance` is enabled for the project' do
    before do
-          ProjectFeature.update_all(security_and_compliance_access_level: Featurable::ENABLED)
+      project1.team.truncate
    end
-        it 'returns only projects on their dashboard that they can read' do
+    shared_examples_for 'project permissions' do
-          expect(subject.projects).to contain_exactly(project1)
+      context 'when the `security_and_compliance` is disabled for the project' do
+        before do
+          ProjectFeature.update_all(security_and_compliance_access_level: Featurable::DISABLED)
        end
+        it { is_expected.to be_empty }
      end
-      context 'when the `security_and_compliance` is disabled for the project' do
+      context 'when the `security_and_compliance` is enabled for the project' do
        before do
-          project1.project_feature.update_column(:security_and_compliance_access_level, Featurable::DISABLED)
+          ProjectFeature.update_all(security_and_compliance_access_level: Featurable::ENABLED)
        end
-        it 'returns only projects on their dashboard that they can read' do
+        it { is_expected.to match_array(expected_projects) }
-          expect(subject.projects).to be_empty
-        end
      end
    end
-    context 'when the user can read all resources' do
+    context 'when the user is auditor' do
-      let(:project_ids) { [project1.id, project2.id] }
      let(:user) { create(:auditor) }
-      context 'when the `security_and_compliance` is enabled for the project' do
+      it_behaves_like 'project permissions' do
-        before do
+        let(:expected_projects) { [project1, project2, project3] }
-          ProjectFeature.update_all(security_and_compliance_access_level: Featurable::ENABLED)
+      end
    end
-        it "returns all projects on the user's dashboard" do
+    context 'when the user is not an auditor' do
-          expect(subject.projects).to contain_exactly(project1, project2, project3)
+      context 'when the user is project owner' do
+        let(:user) { project1.owner }
+        it_behaves_like 'project permissions' do
+          let(:expected_projects) { project1 }
        end
      end
-      context 'when the `security_and_compliance` is disabled for the project' do
+      context 'when the user is not project owner' do
+        shared_examples_for 'user with project role' do |as:, permitted:|
+          let(:expected_projects) { permitted ? project1 : [] }
          before do
-          project1.project_feature.update_column(:security_and_compliance_access_level, Featurable::DISABLED)
+            project1.add_role(user, as)
          end
-        it "returns only the feature enabled projects on the user's dashboard" do
+          it_behaves_like 'project permissions'
-          expect(subject.projects).to contain_exactly(project2, project3)
        end
+        all_roles = Gitlab::Access.sym_options.keys
+        permitted_roles = %i(developer maintainer).freeze
+        unpermitted_roles = all_roles - permitted_roles
+        permitted_roles.each { |role| it_behaves_like 'user with project role', as: role, permitted: true }
+        unpermitted_roles.each { |role| it_behaves_like 'user with project role', as: role, permitted: false }
      end
    end
  end