Remove `admin_vulnerability` from developer role
Currently, developers can read vulnerabilities (read_vulnerability and read_security_resource) and change their status (admin_vulnerabity).
ng
For custom roles, the requirement of a customer is that developers can read vulnerabilities but not edit them (= change their status).
From a technical perspective, anyone who can read_security_resource can admin_vulnerability. It can be solved by adding a condition such as read_security_resource & maintainer enabling admin_vulnerability but we need to solve the possible breaking change problem.
Right now there is no possibility to remove permissions for a custom role, only to add them. There is no plan to implement this in the near future.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
Implementation Plan
-
Remove :create_vulnerability_feedbackfrom Developer role. !136121 (merged) -
Remove :destroy_vulnerability_feedbackfrom Developer role. !136121 (merged) -
Remove :update_vulnerability_feedbackfrom Developer role. !136121 (merged) -
Create feature flag to disable developer access. -
Do not enable :admin_vulnerabilityfor Developer role when feature flag is enabled.
Verification Steps
- Enable the
disable_developer_access_to_admin_vulnerabilityfeature flag on a Group actor. - Log in with an account that has
Developeraccess to the group. - View the following pages to ensure that the logged in user cannot change the Vulnerability status:
- Pipeline Security Tab
- Instance Level Vulnerability Report
- Group Level Vulnerability Report
- Project Level Vulnerability Report
- Merge Request Security Widget