Remove the `admin_vulnerability` ability from the Developer role
What does this MR do and why?
In %17.0 we are introducing a breaking change that removes the ability to change the state of a vulnerability away from the Developer role. This change will allow organizations to maintain a separate role for these privileges via a custom role.
This MR introduces a feature flag to remove the :admin_vulnerability ability from the Developer role. Many of the existing tests related to vulnerability management uses the Developer role as a way to provide access to the feature under test. Because of this, many spec files were updated to disable the new feature flag by default. Each of the existing tests in the test suite that utilize the Developer role (i.e. project.add_develop(user)) will need to be updated to use a Custom role in order to gain the admin_vulnerability ability starting in %17.0.
Screenshots or screen recordings
| Vulnerability Report | Before (feature flag disabled) | After (feature flag enabled) |
|---|---|---|
| Group |  |
 |
| Project |  |
 |
How to set up and validate locally
Example below:
- In rails console enable the experiment fully
Feature.enable(:disable_developer_access_to_admin_vulnerability) - Visit any group or project vulnerability report
http://127.0.0.1:3000/groups/flightjs/-/security/vulnerability_report - The ability to change the vulnerability status should not be available.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.