Agents and Cluster Image Scanning vulnerabilities require different privileges to view
Summary
Currently, there is a disparity between the permission levels for vulnerabilities and Clusters::Agents in Graphql.
- Agent data requires
:admin_clusterto be viewed :admin_clusterrequires Maintainer access on the project- Vulnerability data requires
:read_security_resourceto be viewed :read_security_resourcerequires Developer access on the project
This leads to a situation where users cannot see the location data for Cluster Image Scanning vulnerabilities unless they are Maintainers, but they can see the other vulnerability data.
Proposal
- Change all the Cluster queries to require
:read_clusterpermission rather than:admin_clusterpermission - All the Cluster mutations should continue to require
:admin_clusterpermission - Move
:read_clusterfrom:maintainer_accessto:developer_access
Implementation Plan
diff --git a/app/graphql/types/clusters/agent_type.rb b/app/graphql/types/clusters/agent_type.rb
--- a/app/graphql/types/clusters/agent_type.rb
+++ b/app/graphql/types/clusters/agent_type.rb
@@ -5,7 +5,7 @@ module Clusters
class AgentType < BaseObject
graphql_name 'ClusterAgent'
- authorize :admin_cluster
+ authorize :read_cluster
connection_type_class(Types::CountableConnectionType)diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -356,6 +356,7 @@ class ProjectPolicy < BasePolicy
rule { can?(:developer_access) & can?(:create_issue) }.enable :import_issues
rule { can?(:developer_access) }.policy do
+ enable :read_cluster
enable :create_package
enable :admin_issue_board
enable :admin_merge_request
@@ -427,7 +428,6 @@ class ProjectPolicy < BasePolicy
enable :read_pages
enable :update_pages
enable :remove_pages
- enable :read_cluster
enable :add_cluster
enable :create_cluster
enable :update_clusterEdited by Dominic Bauer