Security policies list not viewable by project users unless they have access in the group, subgroup, or project where the policies are created
Summary
Security policies list is not viewable by project users unless they have Developer
access in the group, subgroup, or project where the policies are created.
Even if the user access required was Reporter
, it could serve as an easier workaround, but teams may not want to add a user as Developer
at certain levels, as that could result in inherited permissions in sub-groups or projects that they are not intended to have access.
See Loom.
Steps to reproduce
See Loom.
Example Project
What is the current bug behavior?
Security policies list not viewable by project users unless they have access in the group, subgroup, or project where the policies are created
What is the expected correct behavior?
Any user in a project enforced by any policies should be able to view the list of policies that are in effect. The table then lists where policies are inherited from. The access/permissions in the projects containing the policies would be controlled by users of the security policy project itself, but the list view of the policies should be visible to any user in the project that is enforced.
See Loom.
Relevant logs and/or screenshots
Output of checks
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
diff --git a/ee/app/finders/security/scan_execution_policies_finder.rb b/ee/app/finders/security/scan_execution_policies_finder.rb
index ee16c718a3bb..e190a3c52941 100644
--- a/ee/app/finders/security/scan_execution_policies_finder.rb
+++ b/ee/app/finders/security/scan_execution_policies_finder.rb
@@ -22,7 +22,7 @@ def filter_by_scan_types(policies, scan_types)
end
end
- def authorized_to_read_policy_configuration?(config)
+ def authorized_to_read_policy_configuration?
return actor.has_access_to?(project) if actor.is_a?(Clusters::Agent)
super
diff --git a/ee/app/finders/security/scan_policy_base_finder.rb b/ee/app/finders/security/scan_policy_base_finder.rb
index 1b8cf81a4602..6d4e8ae0435e 100644
--- a/ee/app/finders/security/scan_policy_base_finder.rb
+++ b/ee/app/finders/security/scan_policy_base_finder.rb
@@ -18,8 +18,9 @@ def execute
attr_reader :actor, :object, :policy_type, :params
def fetch_scan_policies
+ return [] unless authorized_to_read_policy_configuration?
+
fetch_policy_configurations
- .select { |config| authorized_to_read_policy_configuration?(config) }
.flat_map { |config| merge_project_relationship(config) }
end
@@ -27,8 +28,8 @@ def policy_configuration
@policy_configuration ||= object.security_orchestration_policy_configuration
end
- def authorized_to_read_policy_configuration?(config)
- Ability.allowed?(actor, :read_security_orchestration_policies, config.source)
+ def authorized_to_read_policy_configuration?
+ Ability.allowed?(actor, :read_security_orchestration_policies, object)
end