Limit changing the security policy project to project owners
Why are we doing this work
We have gotten additional feedback from customers and prospective customers since we completed our first MVC for security policies. As a result, we need to modify the permission requirements for creating, modifying, or deleting the link between the production project and the security policy project.
Currently, anyone with Maintainer
or higher permissions on the development project can make these edits. This needs to be changed to only allow project Owners
to make these changes.
For reference, the original requirements are here
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
-
backend introduce new permission update_security_orchestration_policy_project
ee/app/policies/ee/project_policy.rb
to enable:security_orchestration_policies
only for:owner_access
:
rule { security_orchestration_policies_enabled & can?(:owner_access) }.policy do
enable :update_security_orchestration_policy_project
end
-
backend add additional check for assign
method inSecurity::PoliciesController
to allow assigning project only when user has permission to:update_security_orchestration_policy_project
, -
frontend disable dropdown when user cannot :update_security_orchestration_policy_project
(modifyee/app/views/projects/security/policies/show.html.haml
file to check for this permission and disable dropbox when it is missing) -
frontend In the policy list, next to the New policy
button, show aEdit Policy Project
button to project owners.
Edited by Alexander Turinske