Commit dcbe4826 authored by Mayra Cabrera's avatar Mayra Cabrera

Merge branch 'instance-security-dashboard-permissions' into 'master'

Add instance security dashboard permissions

See merge request gitlab-org/gitlab!17908
parents 06617c42 3d1681e7
# frozen_string_literal: true
module Security
class ApplicationController < ::ApplicationController
before_action :authorize_read_security_dashboard!
before_action do
push_frontend_feature_flag(:security_dashboard)
end
private
def authorize_read_security_dashboard!
render_404 unless Feature.enabled?(:security_dashboard) &&
can?(current_user, :read_security_dashboard)
end
end
end
# frozen_string_literal: true
module Security
class DashboardController < ::Security::ApplicationController
def show
head :ok
end
end
end
# frozen_string_literal: true
module Security
class ProjectsController < ::Security::ApplicationController
def index
head :ok
end
def create
head :ok
end
def destroy
head :ok
end
end
end
# frozen_string_literal: true
class SecurityController < ApplicationController
before_action :authorize_read_security_dashboard!
before_action do
push_frontend_feature_flag(:security_dashboard)
end
def authorize_read_security_dashboard!
render_404 unless Feature.enabled?(:security_dashboard) &&
can?(current_user, :read_security_dashboard)
end
end
...@@ -9,7 +9,13 @@ module EE ...@@ -9,7 +9,13 @@ module EE
License.feature_available?(:operations_dashboard) License.feature_available?(:operations_dashboard)
end end
condition(:security_dashboard_available) do
License.feature_available?(:security_dashboard)
end
rule { operations_dashboard_available }.enable :read_operations_dashboard rule { operations_dashboard_available }.enable :read_operations_dashboard
rule { ~anonymous & security_dashboard_available }.enable :read_security_dashboard
rule { admin }.policy do rule { admin }.policy do
enable :read_licenses enable :read_licenses
enable :destroy_licenses enable :destroy_licenses
......
...@@ -5,5 +5,5 @@ ...@@ -5,5 +5,5 @@
= link_to operations_path, class: 'dropdown-item' do = link_to operations_path, class: 'dropdown-item' do
= _('Operations') = _('Operations')
- if dashboard_nav_link?(:security) - if dashboard_nav_link?(:security)
= link_to security_path, class: 'dropdown-item' do = link_to security_root_path, class: 'dropdown-item' do
= _('Security') = _('Security')
# frozen_string_literal: true # frozen_string_literal: true
get 'security' => 'security#index' namespace :security do
root to: 'dashboard#show'
resources :projects, only: [:index, :create, :destroy]
end
# frozen_string_literal: true
require 'spec_helper'
describe Security::DashboardController do
describe 'GET #show' do
it_behaves_like Security::ApplicationController do
let(:security_application_controller_child_action) do
get :show
end
end
end
end
# frozen_string_literal: true
require 'spec_helper'
describe Security::ProjectsController do
describe 'GET #index' do
it_behaves_like Security::ApplicationController do
let(:security_application_controller_child_action) do
get :index
end
end
end
describe 'POST #create' do
it_behaves_like Security::ApplicationController do
let(:security_application_controller_child_action) do
post :create
end
end
end
describe 'DELETE #destroy' do
it_behaves_like Security::ApplicationController do
let(:security_application_controller_child_action) do
delete :destroy, params: { id: 1 }
end
end
end
end
...@@ -55,4 +55,30 @@ describe GlobalPolicy do ...@@ -55,4 +55,30 @@ describe GlobalPolicy do
describe 'view_productivity_analytics' do describe 'view_productivity_analytics' do
include_examples 'analytics policy', :view_productivity_analytics include_examples 'analytics policy', :view_productivity_analytics
end end
describe 'read_security_dashboard' do
context 'when the instance has an Ultimate license' do
before do
stub_licensed_features(security_dashboard: true)
end
context 'and the user is not logged in' do
let(:current_user) { nil }
it { is_expected.not_to be_allowed(:read_security_dashboard) }
end
context 'and the user is logged in' do
it { is_expected.to be_allowed(:read_security_dashboard) }
end
end
context 'when the instance does not have an Ultimate license' do
before do
stub_licensed_features(security_dashboard: false)
end
it { is_expected.not_to be_allowed(:read_security_dashboard) }
end
end
end end
# frozen_string_literal: true
require 'spec_helper'
shared_examples Security::ApplicationController do
context 'when the user is authenticated' do
let(:security_application_controller_user) { create(:user) }
before do
stub_licensed_features(security_dashboard: true)
sign_in(security_application_controller_user)
end
it 'responds with success' do
security_application_controller_child_action
expect(response).to have_gitlab_http_status(:ok)
end
context 'and the instance does not have an Ultimate license' do
it '404s' do
stub_licensed_features(security_dashboard: false)
security_application_controller_child_action
expect(response).to have_gitlab_http_status(:not_found)
end
end
context 'and the security dashboard feature is disabled' do
it '404s' do
stub_feature_flags(security_dashboard: false)
security_application_controller_child_action
expect(response).to have_gitlab_http_status(:not_found)
end
end
end
context 'when the user is not authenticated' do
it 'redirects the user to the sign in page' do
security_application_controller_child_action
expect(response).to redirect_to(new_user_session_path)
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment