Commit da34c8ed authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security_299039_restrict_access_for_reporter_and_below' into 'master'

Restrict access to instance-level security features for reporters

See merge request gitlab-org/security/gitlab!1536
parents 9280393e 5deba061
......@@ -71,6 +71,6 @@ class InstanceSecurityDashboard
end
def authorized_access_levels
Gitlab::Access.vulnerability_access_levels.values
Gitlab::Access.vulnerability_access_levels
end
end
......@@ -16,7 +16,7 @@ module EE
extend ::Gitlab::Utils::Override
def vulnerability_access_levels
@vulnerability_access_levels ||= options_with_owner.except('Guest')
@vulnerability_access_levels ||= sym_options_with_owner.values_at(:developer, :maintainer, :owner).freeze
end
def options_with_minimal_access
......
......@@ -19,7 +19,7 @@ RSpec.describe InstanceSecurityDashboard do
user.security_dashboard_projects << [project1, project2, project3]
end
subject { described_class.new(user, project_ids: project_ids) }
subject(:instance_dashboard) { described_class.new(user, project_ids: project_ids) }
describe '#project_ids_with_security_reports' do
context 'when given project IDs' do
......@@ -79,50 +79,64 @@ RSpec.describe InstanceSecurityDashboard do
end
describe '#projects' do
context 'when the user cannot read all resources' do
context 'when the `security_and_compliance` is enabled for the project' do
subject { instance_dashboard.projects }
before do
ProjectFeature.update_all(security_and_compliance_access_level: Featurable::ENABLED)
project1.team.truncate
end
it 'returns only projects on their dashboard that they can read' do
expect(subject.projects).to contain_exactly(project1)
shared_examples_for 'project permissions' do
context 'when the `security_and_compliance` is disabled for the project' do
before do
ProjectFeature.update_all(security_and_compliance_access_level: Featurable::DISABLED)
end
it { is_expected.to be_empty }
end
context 'when the `security_and_compliance` is disabled for the project' do
context 'when the `security_and_compliance` is enabled for the project' do
before do
project1.project_feature.update_column(:security_and_compliance_access_level, Featurable::DISABLED)
ProjectFeature.update_all(security_and_compliance_access_level: Featurable::ENABLED)
end
it 'returns only projects on their dashboard that they can read' do
expect(subject.projects).to be_empty
end
it { is_expected.to match_array(expected_projects) }
end
end
context 'when the user can read all resources' do
let(:project_ids) { [project1.id, project2.id] }
context 'when the user is auditor' do
let(:user) { create(:auditor) }
context 'when the `security_and_compliance` is enabled for the project' do
before do
ProjectFeature.update_all(security_and_compliance_access_level: Featurable::ENABLED)
it_behaves_like 'project permissions' do
let(:expected_projects) { [project1, project2, project3] }
end
end
it "returns all projects on the user's dashboard" do
expect(subject.projects).to contain_exactly(project1, project2, project3)
context 'when the user is not an auditor' do
context 'when the user is project owner' do
let(:user) { project1.owner }
it_behaves_like 'project permissions' do
let(:expected_projects) { project1 }
end
end
context 'when the `security_and_compliance` is disabled for the project' do
context 'when the user is not project owner' do
shared_examples_for 'user with project role' do |as:, permitted:|
let(:expected_projects) { permitted ? project1 : [] }
before do
project1.project_feature.update_column(:security_and_compliance_access_level, Featurable::DISABLED)
project1.add_role(user, as)
end
it "returns only the feature enabled projects on the user's dashboard" do
expect(subject.projects).to contain_exactly(project2, project3)
it_behaves_like 'project permissions'
end
all_roles = Gitlab::Access.sym_options.keys
permitted_roles = %i(developer maintainer).freeze
unpermitted_roles = all_roles - permitted_roles
permitted_roles.each { |role| it_behaves_like 'user with project role', as: role, permitted: true }
unpermitted_roles.each { |role| it_behaves_like 'user with project role', as: role, permitted: false }
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment