Skip to content

Add admin_vulnerability to custom roles

Jarka Košanová requested to merge 412536-admin-vulnerablity-cr into master

What does this MR do and why?

It adds the admin_vulnerability ability to custom roles.

Screenshots or screen recordings

How to set up and validate locally

  1. Enable feature flag Feature.enable(:custom_roles_vulnerability)

  2. Creates a personal access token with the API scope.

  3. Pick a group with at least one project (project), pick a user who is member of this project (guest/reporter access level)

  4. Create a custom role using the API:

    • curl --request POST --header "Content-Type: application/json" --header "Authorization: Bearer $YOUR_ACCESS_TOKEN" --data '{"base_access_level" : 10, "read_vulnerability" : true, "admin_vulnerability": true }' "http://localhost:3000/api/v4/groups/$YOUR_GROUP_ID/member_roles"

    • You can also test without "read_vulnerability" : true which should not work (read_vulnerbility is a requirement for admin_vulnerability)

  5. Associates the member with the role using the Group and Project Members API endpoint

    • curl --request PUT --header "Content-Type: application/json" --header "Authorization: Bearer $YOUR_ACCESS_TOKEN" --data '{"member_role_id": '$MEMBER_ROLE_ID', "access_level": 10}' "http://localhost:3000/api/v4/projects/$ID/members/$GUEST_USER_ID"
  6. Go to vulnerability report page (eg. http://localhost:3000/flightjs/Flight/-/security/vulnerability_report), click on vulnerability and try to change the vulnerability status

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #412536 (closed)

Edited by Jarka Košanová

Merge request reports