Skip to content

Hide some UI elements from users that lack admin_security_attributes permission

Miranda Fluhartyrequested to merge
mfluharty-gate-applying-attributes-behind-admin-permission into master

What does this MR do and why?

Require admin_security_attributes to apply/remove

Require canManageAttributes (can_admin_security_attributes) for:
- "Security attributes" tab on project security configuration page
- "Edit security attributes" action on group security inventory page
- "+ Add attributes" link in group security inventory page

Why? We want to require this permission in order to apply attributes to projects (not just to create/update/delete categories and attributes) - which was discussed in a few places throughout the development of Security Attributes/Context Filtering (&18010), but wasn't clearly defined when I scaffolded these pages (#550478 (closed), #550472 (closed), #550473 (closed)).

References

Screenshots or screen recordings

Before After
top-level group developer viewing inventory Screenshot_2025-10-20_at_13.46.51
can see attributes in the cell, can apply attributes to projects		 Screenshot_2025-10-20_at_13.46.31
can see attributes in the cell (once #577049 is fixed), but cannot apply attributes to projects
top-level group developer viewing project security configuration Screenshot_2025-10-20_at_13.46.58
can see the security attributes tab, can apply attributes to project		 Screenshot_2025-10-20_at_13.46.37
cannot see the security attributes tab at all
top-level group maintainer viewing inventory Screenshot_2025-10-20_at_13.43.48
can see attributes in the cell, can apply attributes to projects		 Screenshot_2025-10-20_at_13.43.48
no change
top-level group maintainer viewing project security configuration Screenshot_2025-10-20_at_13.44.28
can see the security attributes tab, can apply attributes to project		 Screenshot_2025-10-20_at_13.44.28
no change

How to set up and validate locally

git checkout mfluharty-gate-applying-attributes-behind-admin-permission
echo "Feature.enable(:security_categories_and_attributes)" | gdk rails c
echo "Feature.enable(:security_context_labels)" | gdk rails c
  1. navigate to a top-level group where you are at least a maintainer
  2. navigate to => Secure => Security inventory - you should be able to apply security attributes to projects
  3. navigate to a project in the group => Secure => Security configuration - you should be able to apply security attributes to the project
  4. add a user as a developer in the top-level group, use the admin area to impersonate them
  5. navigate to => Secure => Security inventory - you should NOT be able to apply security attributes to projects
  6. navigate to a project in the group => Secure => Security configuration - you should NOT be able to see the Security attributes tab

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Miranda Fluharty

Merge request reports