Refactor vulnerabilities permissions
What does this MR do and why?
This MR consolidates create_vulnerability
and admin_vulnerability
into admin_vulnerability
permissions. We also add read_vulnerability
.
The reason is that we agreed that for custom roles in general we will have two basic abilities, read_*
and admin_*
. For vulnerabilities, at least for now, there is no difference between access to admin or read. But we should keep this unified across the different permissions.
There will be follow-up MRs with the rest of the permissions - those related to vulnerability_feedback (at least 4 of them, different access, therefore a separated MR probably with different permission), *_vulnerability_export
(more complex due to the author check) and admin_vulnerability_*_links
(additional checks).
Before
:create_vulnerability=>[[:prevent, #<Rule archived>], [:enable, #<Rule can?(:read_security_resource)>], [:prevent, #<Rule all?(auditor, ~developer)>], [:prevent, #<Rule read_only>]],
:admin_vulnerability=>[[:prevent, #<Rule archived>], [:enable, #<Rule can?(:read_security_resource)>], [:prevent, #<Rule all?(auditor, ~developer)>], [:prevent, #<Rule read_only>]],
After
:manage_vulnerabilities=>[[:enable, #<Rule can?(:read_security_resource)>], [:prevent, #<Rule all?(auditor, ~developer)>]]}
Screenshots or screen recordings
How to set up and validate locally
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #388156 (closed)