Skip to content

Show policies edit button only when access is available

Bala Kumar requested to merge 400202-security-policies-permission-fe into master

What does this MR do and why?

Shows edit button for security policies only when the logged in user has modify policies access.

Supports the backend changes done in !118511 (merged) for issue #400202 (closed)

Screenshots or screen recordings

Owner user of policy project Developer who do not have access to policy project (read privilege alone)
Screenshot_2023-05-16_at_9.59.03_PM Screenshot_2023-05-16_at_9.58.43_PM

How to set up and validate locally

  1. Apply the BE changes done in !118511 (merged) 
diff --git a/ee/app/finders/security/scan_policy_base_finder.rb b/ee/app/finders/security/scan_policy_base_finder.rb
index 563419ccb98e..1b8cf81a4602 100644
--- a/ee/app/finders/security/scan_policy_base_finder.rb
+++ b/ee/app/finders/security/scan_policy_base_finder.rb
@@ -28,7 +28,7 @@ def policy_configuration
     end

     def authorized_to_read_policy_configuration?(config)
-      Ability.allowed?(actor, :read_security_orchestration_policies, config.security_policy_management_project)
+      Ability.allowed?(actor, :read_security_orchestration_policies, config.source)
     end

     def fetch_policy_configurations
diff --git a/ee/app/policies/ee/project_policy.rb b/ee/app/policies/ee/project_policy.rb
index 4bb6d7e614e3..4cfdc37b6c38 100644
--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -281,7 +281,6 @@ module ProjectPolicy
       end

       rule { security_orchestration_policies_enabled & can?(:owner_access) }.policy do
-        enable :modify_security_policy
         enable :update_security_orchestration_policy_project
       end

@@ -289,6 +288,10 @@ module ProjectPolicy
         enable :read_security_orchestration_policies
       end

+      rule { security_orchestration_policies_enabled & can?(:owner_access) & ~security_policy_project_available }.policy do
+        enable :modify_security_policy
+      end
+
       rule { security_orchestration_policies_enabled & security_policy_project_available & can_commit_to_security_policy_project }.policy do
  1. Create a policy management project for a source project.
  2. On the source project add a user say test with developer access.
  3. Login separately as the test user and visit the source project. Source project -> Security and Compliance -> Policies
  4. Test user with developer access should be able to view the policies configured without the edit button.
  5. Login as owner user of the policy project and repeat steps 4 & 5. Owner user should be able to view the edit button.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #400202 (closed)

Edited by Bala Kumar

Merge request reports