Add admin_vulnerability to custom roles
What does this MR do and why?
It adds the admin_vulnerability
ability to custom roles.
Screenshots or screen recordings
How to set up and validate locally
-
Enable feature flag
Feature.enable(:custom_roles_vulnerability)
-
Creates a personal access token with the API scope.
-
Pick a group with at least one project (
project
), pick a user who is member of this project (guest/reporter access level) -
Create a custom role using the API:
https://docs.gitlab.com/ee/api/member_roles.html#add-a-member-role-to-a-group
-
curl --request POST --header "Content-Type: application/json" --header "Authorization: Bearer $YOUR_ACCESS_TOKEN" --data '{"base_access_level" : 10, "read_vulnerability" : true, "admin_vulnerability": true }' "http://localhost:3000/api/v4/groups/$YOUR_GROUP_ID/member_roles"
-
You can also test without
"read_vulnerability" : true
which should not work (read_vulnerbility
is a requirement foradmin_vulnerability
)
-
-
Associates the member with the role using the Group and Project Members API endpoint
curl --request PUT --header "Content-Type: application/json" --header "Authorization: Bearer $YOUR_ACCESS_TOKEN" --data '{"member_role_id": '$MEMBER_ROLE_ID', "access_level": 10}' "http://localhost:3000/api/v4/projects/$ID/members/$GUEST_USER_ID"
-
Go to vulnerability report page (eg.
http://localhost:3000/flightjs/Flight/-/security/vulnerability_report
), click on vulnerability and try to change the vulnerability status
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #412536 (closed)