Skip to content

Do not expose issuable URLs on Vulnerability Feedback entities without permissions

What Problem are we solving?

With the work https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/9326#note_143747192 a discussion was raised on exposing issue and merge_request` URLs when a user may or may not have permissions to view them:

I think that this falls into tricky territory of tri-state handling of permissions which is not really designed today neither on UX, frontend or backend. I would fallback from doing something for the purpose of this work, without having a system-wide design discussion. In all other places, we simply did not show that such entity exist or allow to click if user does not have permission to access. This is not greatest UX, but does not pose any security vulnerabilities attached with the behavior. In most cases users already have access, so it is not that big of a problem. So, I would say: hide it. If we have to refine that, and have proper tri-state (we have, but you are not allowed), this should rather be though of to be the system-wide approach.

Essentially we are relying on multiple exposure paradigms for whether or not to control access. The current implementation within !9326 (merged) exposes the URLs and relies on the frontend for controlling access, however this is inconsistent with the access model in other parts of the codebase.

Suggested fix

NOTE: this should be applied to both issues and merge_requests

diff --git a/ee/app/serializers/vulnerabilities/feedback_entity.rb b/ee/app/serializers/vulnerabilities/feedback_entity.rb
index fd6483b596d..2900a79f9b9 100644
--- a/ee/app/serializers/vulnerabilities/feedback_entity.rb
+++ b/ee/app/serializers/vulnerabilities/feedback_entity.rb
@@ -17,9 +17,10 @@ class Vulnerabilities::FeedbackEntity < Grape::Entity

-  expose :merge_request_url, if: -> (feedback, _) { feedback.merge_request? } do |feedback|
+  expose :merge_request_url, if: -> (feedback, _) { feedback.merge_request? && can?(current_user, :read_merge_request, feedback.merge_request) } do |feedback|
Edited by Lucas Charles