Fix Security navigation for users with custom role
What does this MR do and why?
It fixes the Project sidebar and shows Vulnerabilities menu item (under Secure) for users who have enabled reading vulnerabilities because of their custom role.
Screenshots or screen recordings
How to set up and validate locally
- Enable feature flag
Feature.enable(:custom_roles_vulnerability)
- Creates a personal access token with the API scope.
- Pick a group with at least one project (
project
), pick a user who is member of this project (gues access level) -user
- Check if a user can access the vulnerability page of the project (eg.
https://gdk.test:3443/flightjs/Flight/-/security/vulnerability_report
), they should not be able to access it - Create a custom role using the API:
https://docs.gitlab.com/ee/api/member_roles.html#add-a-member-role-to-a-group
curl --request POST --header "Content-Type: application/json" --header "Authorization: Bearer $YOUR_ACCESS_TOKEN" --data '{"base_access_level" : 10, "read_vulnerability" : true}' "https://gdk.test:3443/api/v4/groups/$YOUR_GROUP_ID/member_roles"
- You can also test with
base_access_level
=10
which should not work (minimal base access level is reporter)
- Associates the member with the role using the Group and Project Members API endpoint
curl --request PUT --header "Content-Type: application/json" --header "Authorization: Bearer $YOUR_ACCESS_TOKEN" --data '{"member_role_id": '$MEMBER_ROLE_ID', "access_level": 10}' "https://example.gitlab.com/api/v4/projects/$ID/members/$GUEST_USER_ID"
- Check the menu sidebar when logged in with that user
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #410126 (closed)
Edited by Jarka Košanová