Skip to content

Add PipelineSecurityReportingFinding userPermissions - frontend change

Problem

The vulnerability_finding_modal.vue should be as standalone as possible. To fix Unable to create issues for pipeline security f... (#428894 - closed) • David Pisek, Subashis Chakraborty • 16.7, as a quicker fix, a new prop for the modal was added that determines whether an issue can be created for the finding. However, we'd like the modal itself to figure this out.

Solution

Introduce a userPermissions field in PipelineSecurityReportingFinding, similar to the userPermissions field in Vulnerability, which is an object with at least one permission field that determines whether the user can create an issue for the respective finding. Field could be named e.g. createFindingIssue.

Implementation steps

  1. Remove injected canAdminVulnerability in vulnerability_finding_modal.vue
  2. Remove provide of canAdminVulnerability and the passing through via HAML template that have now become unnecessary because of the removal of the injection in point 1
  3. Adapt graphql query for finding to include userPermissions { adminVulnerability } and use that in computed properties/template in vulnerability_finding_modal.vue
  4. Update specs

Verification steps

adminVulnerability is true -> "create issue" is visible

  1. go to https://gitlab.com/gitlab-examples/security/security-reports/-/pipelines/1156121988/security
  2. click on info button of the finding "Untrusted Search Path"
  3. Verify that the "Create issue" button is visible

adminVulnerability is false -> "create issue" is not visible

This needs to be done locally because it involves impersonating a user with a custom role.

Prerequisites

  1. You need an EE license
  2. You need to have runners enabled (See $2408961 for setting up a runner)
  3. Import https://gitlab.com/gitlab-examples/security/security-reports
  4. Run a pipeline on master

Verify

  1. go to http://gdk.test:3000/admin/application_settings/roles_and_permissions
  2. Select "add new role" and choose "reporter" as base role for template, give the role a name, and check the "Read vulnerability", but not "Admin vulnerability" permission. Save.
  3. Go to http://gdk.test:3000/gitlab-org/security-reports/-/project_members and invite a user without access already to that project and apply the custom role.
  4. Go to http://gdk.test:3000/admin/users and find the person you just applied the custom role to, and impersonate that user.
  5. Go to http://gdk.test:3000/gitlab-org/security-reports and navigate to the latest pipeline > security tab. Click one of the findings such that the modal opens.
  6. Verify that the "Create issue" and "Dismiss vulnerability" buttons are not visible.
Edited by Lorenz van Herwaarden