Use distinct urls for issue and dismissal feedback endpoint on the group security dashboard API

Problem to solve

Currently, we test on the frontend if a user can create an issue or dismiss a vulnerability by checking the vulnerability.vulnerability_feedback_url param. If it exists, then they can create an issue or dismiss a vulnerability. If it doesn't exist, they cannot.

On the surface, this seemed fine, but @leipert pointed out that we may run into the issue where the user has the permission to dismiss a vulnerability, but the project that that vulnerability is a part of may have issues turned off. This would create a situation where the user can dismiss a vulnerability but not create an issue. Since the frontend is only checking for the vulnerability feedback url, the create issue buttons would appear but would error when the user tried to create an issue.

Proposal

~~Add explicit flags to the data the API returns. This will both improve the reliability of the data and make a lot more sense when reading the front end code.~~

~~can_create_issue and can_dismiss_vulnerabilty~~

Split the vulnerability_feedback_url property into two:

vulnerability_feedback_issue_path
vulnerability_feedback_dismissal_path

and set appropriate condition on exposing these urls.

What does success look like, and how can we measure that?

Url for each feedback type is only exposed when user can effectively create that kind of feedback and associated objects.

Links / references

https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/7910#note_111805069

Edited Jan 16, 2019 by Lukas Eipert