Skip to content
Snippets Groups Projects

Show policies edit button only when access is available

Merged Bala Kumar requested to merge 400202-security-policies-permission-fe into master
All threads resolved!

What does this MR do and why?

Shows edit button for security policies only when the logged in user has modify policies access.

Supports the backend changes done in !118511 (merged) for issue #400202 (closed)

Screenshots or screen recordings

Owner user of policy project Developer who do not have access to policy project (read privilege alone)
Screenshot_2023-05-16_at_9.59.03_PM Screenshot_2023-05-16_at_9.58.43_PM

How to set up and validate locally

  1. Apply the BE changes done in !118511 (merged)
diff --git a/ee/app/finders/security/scan_policy_base_finder.rb b/ee/app/finders/security/scan_policy_base_finder.rb
index 563419ccb98e..1b8cf81a4602 100644
--- a/ee/app/finders/security/scan_policy_base_finder.rb
+++ b/ee/app/finders/security/scan_policy_base_finder.rb
@@ -28,7 +28,7 @@ def policy_configuration
     end

     def authorized_to_read_policy_configuration?(config)
-      Ability.allowed?(actor, :read_security_orchestration_policies, config.security_policy_management_project)
+      Ability.allowed?(actor, :read_security_orchestration_policies, config.source)
     end

     def fetch_policy_configurations
diff --git a/ee/app/policies/ee/project_policy.rb b/ee/app/policies/ee/project_policy.rb
index 4bb6d7e614e3..4cfdc37b6c38 100644
--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -281,7 +281,6 @@ module ProjectPolicy
       end

       rule { security_orchestration_policies_enabled & can?(:owner_access) }.policy do
-        enable :modify_security_policy
         enable :update_security_orchestration_policy_project
       end

@@ -289,6 +288,10 @@ module ProjectPolicy
         enable :read_security_orchestration_policies
       end

+      rule { security_orchestration_policies_enabled & can?(:owner_access) & ~security_policy_project_available }.policy do
+        enable :modify_security_policy
+      end
+
       rule { security_orchestration_policies_enabled & security_policy_project_available & can_commit_to_security_policy_project }.policy do
  1. Create a policy management project for a source project.
  2. On the source project add a user say test with developer access.
  3. Login separately as the test user and visit the source project. Source project -> Security and Compliance -> Policies
  4. Test user with developer access should be able to view the policies configured without the edit button.
  5. Login as owner user of the policy project and repeat steps 4 & 5. Owner user should be able to view the edit button.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #400202 (closed)

Edited by Bala Kumar

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Artur Fedorov
  • Bala Kumar added 1 commit

    added 1 commit

    • 017c0ad9 - Show policy edit button only when access is available

    Compare with previous version

  • Artur Fedorov approved this merge request

    approved this merge request

  • :wave: @arfedoro, thanks for approving this merge request.

    This is the first time the merge request is approved. To ensure full test coverage, a new pipeline will be started shortly.

    For more info, please refer to the following links:

  • Artur Fedorov requested review from @aturinske and removed review request for @arfedoro

    requested review from @aturinske and removed review request for @arfedoro

  • Alexander Turinske approved this merge request

    approved this merge request

  • Alexander Turinske resolved all threads

    resolved all threads

  • Alexander Turinske enabled an automatic merge when the pipeline for 55eaf3e9 succeeds

    enabled an automatic merge when the pipeline for 55eaf3e9 succeeds

  • mentioned in commit f88e514a

  • added workflowstaging label and removed workflowcanary label

  • Please register or sign in to reply
    Loading