Discover Project Security link is not visible in sidebar
Summary
The project sidebar no longer links to the discover project security page when it should. The page can be reached directly via URL, e.g., https://gitlab.com/markrian-test/sast-and-secrets/-/security/discover, but the sidebar link isn't there.
Steps to reproduce
- Visit or create a project on GitLab.com that exists under a group you have admin rights to, and is on any plan except
Gold
. - Click Security & Compliance on the sidebar.
- Observe it takes you to
Audit Events
rather that the discover project security page. - Point your browser directly to the path for the discover project security page, e.g.,
https://gitlab.com/your-group/your-project/-/security/discover
, and observe that it renders, but has no associated sidebar entry. That it renders proves that the necessary conditions have been met to show it in the sidebar.
Example Project
https://gitlab.com/markrian-test/sast-and-secrets/-/security/discover (I'd need to add you as a group admin for you to replicate this, otherwise you'll just see a 404).
What is the current bug behavior?
There is no sidebar entry for the discover project security page.
What is the expected correct behavior?
There should be a sidebar entry for the discover project security page.
Relevant logs and/or screenshots
Note how there is no active sidebar entry:
There is only an Audit Events
child entry in the sidebar:
Output of checks
This bug happens on GitLab.com.
Possible fixes
In the relevant HAML template, the discovery project security sidebar link is only rendered if none of the :security
, :dependencies
, :licenses
or :audit_events
links are visible.
I imagine that the :audit_events
feature was somewhat recently added and is always visible, such that the else
branch is never reached.
One possible fix would be adjust the top_level_link(@project)
to point to the discover page under the right circumstances.
Implementation plan
-
backend Update EE::ProjectPolicy
(ee/app/policies/ee/project_policy.rb
) to check if:audit_events
feature is available before granting:read_project_audit_events
to users withDeveloper
access