Skip to content

Enable vulnerability export for custom roles

🔥 This MR now targets 388156-read-vuln-custom-role branch. Once !114734 (merged) is merged, this needs to be changed to master 🔥

What does this MR do and why?

In Add ability to read_vulnerability to custom roles (!114734 - merged) we added read_vulnerability permission for custom roles. This MR extends this ability and so that when a user has read_vulnerability allowed as part of their custom role, they also have creating vulnerability exports enabled.

The create_vulnerability_export ability is kept because for users who don't have these enabled using the custom roles feature the condition behaves a bit differently - not sure this is needed - But also, create_vulnerability_export is present in GroupPolicy and for now, custom roles are working only for Projects.

How to set up and validate locally

  1. Enable feature flag Feature.enable(:custom_roles_vulnerability)
  2. Creates a personal access token with the API scope.
  3. Pick a group with at least one project (project), pick a user who is member of this project (gues access level) - user
  4. Check if a user can access the vulnerability page of the project (eg. https://gdk.test:3443/flightjs/Flight/-/security/vulnerability_report), they should not be able to access it
  5. Create a custom role using the API: https://docs.gitlab.com/ee/api/member_roles.html#add-a-member-role-to-a-group
    • curl --request POST --header "Content-Type: application/json" --header "Authorization: Bearer $YOUR_ACCESS_TOKEN" --data '{"base_access_level" : 10, "read_vulnerability" : true}' "https://gdk.test:3443/api/v4/groups/$YOUR_GROUP_ID/member_roles"
    • You can also test with base_access_level = 10 which should not work (minimal base access level is reporter)
  6. Associates the member with the role using the Group and Project Members API endpoint
    • curl --request PUT --header "Content-Type: application/json" --header "Authorization: Bearer $YOUR_ACCESS_TOKEN" --data '{"member_role_id": '$MEMBER_ROLE_ID', "access_level": 10}' "https://example.gitlab.com/api/v4/projects/$ID/members/$GUEST_USER_ID"
  7. Go the vulnerability page of the project (eg. https://gdk.test:3443/flightjs/Flight/-/security/vulnerability_report)
  8. Click Export button in the top corner of the page and test you can create and download the export.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #399122 (closed)

Edited by Jarka Košanová

Merge request reports

Loading