Remove `admin_vulnerability` from developer role
Currently, developers can read vulnerabilities (read_vulnerability
and read_security_resource
) and change their status (admin_vulnerabity
).
ng
For custom roles, the requirement of a customer is that developers can read
vulnerabilities but not edit them (= change their status).
From a technical perspective, anyone who can read_security_resource
can admin_vulnerability
. It can be solved by adding a condition such as read_security_resource & maintainer
enabling admin_vulnerability
but we need to solve the possible breaking change problem.
Right now there is no possibility to remove permissions for a custom role, only to add them. There is no plan to implement this in the near future.
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.
Implementation Plan
-
Remove :create_vulnerability_feedback
from Developer role. !136121 (merged) -
Remove :destroy_vulnerability_feedback
from Developer role. !136121 (merged) -
Remove :update_vulnerability_feedback
from Developer role. !136121 (merged) -
Create feature flag to disable developer access. -
Do not enable :admin_vulnerability
for Developer role when feature flag is enabled.
Verification Steps
- Enable the
disable_developer_access_to_admin_vulnerability
feature flag on a Group actor. - Log in with an account that has
Developer
access to the group. - View the following pages to ensure that the logged in user cannot change the Vulnerability status:
- Pipeline Security Tab
- Instance Level Vulnerability Report
- Group Level Vulnerability Report
- Project Level Vulnerability Report
- Merge Request Security Widget