Auditor user can bulk select vulnerabilities
Summary
Auditor users have read-only access unless specifically granted a more permissive role on a Group or Project. An Auditor user visiting a Group or Project Vulnerability Report will see the checkboxes next to the vulnerabilities in the list. They can also select vulnerabilities and attempt to Dismiss. The user will then see an error as they are blocked from actually making the change.
Steps to reproduce
- Log in as an Auditor user
- Look at the Vulnerability Report for any Group or Project
- make sure the user does not have another role such as
Guest
orReporter
on the Group/Project
- make sure the user does not have another role such as
- Observe that you can select vulnerabilities and attempt to Dismiss them
NOTE: This same problem likely applies to the Security Center as well. However, because of another bug with Auditor users, Projects cannot be added to these user's Security Center Vulnerability Report. Ensure that once the other defect is resolved, the same bug behavior described here is not present.
What is the current bug behavior?
Auditor users can see the checkboxes on the Vulnerability report, allowing them to select and attempt to dismiss items.
What is the expected correct behavior?
Checkboxes should be hidden from Auditor users.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
-
backend add is_user_auditor: current_user.auditor?.to_s
toee/app/helpers/ee/projects_helper.rb
on line 261 (toproject_security_dashboard_config
method in case the line number changes). -
frontend inject this data to the vue app and hide the selection if it's true (do not forget to use parseBoolean
while injecting).