Skip to content

Add auditor access for dependency proxy

Anton Smith requested to merge auditor-enable-dependency-proxy into master

What does this MR do and why?

Describe in detail what your merge request does and why.

Closes #355501 (closed)

Allows auditor users to be able to access the dependency proxy page in groups.

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

auditor-enable-dependency-proxy

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Switch to the master branch and visit GitLab in your browser. Login as an admin user and attempt to visit the dependency proxy page in a group https://gitlab.example.com/groups/<GROUP>/-/dependency_proxy. As an admin, you should be able to view this page.
  2. Impersonate an auditor account and attempt to visit https://gitlab.example.com/groups/<GROUP>/-/dependency_proxy. As an auditor, you should see a 404. This is expected.
  3. Switch to the auditor-enable-dependency-proxy branch.
  4. In the address bar, attempt to visit https://gitlab.example.com/groups/<GROUP>/-/dependency_proxy. As an auditor, you should now be able to view this page.
  5. Auditor users can still see the "Clear cache" button however. See the next section below for more details.

Please note:

The dependency proxy page also has a dropdown menu that allows users to clear the dependency proxy cache. As an auditor user, if you attempt to clear the cache this returns a 403 error. This is expected because we don't want auditor users to perform write operations.

image

Visibility is controlled by the showDeleteDropdown function in https://gitlab.com/gitlab-org/gitlab/-/blob/v14.10.2-ee/app/assets/javascripts/packages_and_registries/dependency_proxy/app.vue#L184-200

My MR in its current form does not address the "Clear cache" button. Moving forward, I am seeking advice on how to proceed:

  1. Should this be considered a new issue?
  2. Should we extend the aforementioned Vue code above to hide the "Clear cache" button as part of this MR? If this is the case, I will likely need help for that.
  3. Or should we not worry about it?

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Anton Smith

Merge request reports