Resolve "Improve permissions validation for categories and attributes"
What does this MR do and why?
Improve permissions validation for security categories and attributes.
- Split admin and read permissions for security attributes by introducing a new :read_security_attribute permission separate from :admin_security_attributes
- Move authorization from GraphQL types to resolvers for proper context-based permission checks
- Update GroupPolicy to grant:read_security_attribute to users with :admin_security_attributes permission and custom role users
- Update AttributePolicy to delegate permission checks to the namespace and grant :read_security_attribute based on :admin_security_attributes
- Add custom ability configuration for read_security_attribute with group-level access for maintainers and owners (access level 50)
- Update CategoryResolver to use:read_security_attribute instead of :admin_security_attributes for proper read-only access control
- Add authorization check to AttributesResolver for project namespace
- Update tests to reflect the new permission model, where only maintainers and owners can read security attributes
- Add request spec for custom role with read_security_attribute permission
This change allows for more granular permission control, enabling read-only access to security attributes without requiring full admin permissions.
References
Screenshots or screen recordings
| Before | After |
|---|---|
 |
 |
How to set up and validate locally
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #567237!
Edited by Miki Amos