Enable vulnerability export for custom roles
388156-read-vuln-custom-role
branch. Once !114734 (merged) is merged, this needs to be changed to master
What does this MR do and why?
In Add ability to read_vulnerability to custom roles (!114734 - merged) we added read_vulnerability
permission for custom roles. This MR extends this ability and so that when a user has read_vulnerability
allowed as part of their custom role, they also have creating vulnerability exports enabled.
The create_vulnerability_export
ability is kept because for users who don't have these enabled using the custom roles feature the condition behaves a bit differently - not sure this is needed - But also, create_vulnerability_export
is present in GroupPolicy
and for now, custom roles are working only for Project
s.
How to set up and validate locally
- Enable feature flag
Feature.enable(:custom_roles_vulnerability)
- Creates a personal access token with the API scope.
- Pick a group with at least one project (
project
), pick a user who is member of this project (gues access level) -user
- Check if a user can access the vulnerability page of the project (eg.
https://gdk.test:3443/flightjs/Flight/-/security/vulnerability_report
), they should not be able to access it - Create a custom role using the API:
https://docs.gitlab.com/ee/api/member_roles.html#add-a-member-role-to-a-group
curl --request POST --header "Content-Type: application/json" --header "Authorization: Bearer $YOUR_ACCESS_TOKEN" --data '{"base_access_level" : 10, "read_vulnerability" : true}' "https://gdk.test:3443/api/v4/groups/$YOUR_GROUP_ID/member_roles"
- You can also test with
base_access_level
=10
which should not work (minimal base access level is reporter)
- Associates the member with the role using the Group and Project Members API endpoint
curl --request PUT --header "Content-Type: application/json" --header "Authorization: Bearer $YOUR_ACCESS_TOKEN" --data '{"member_role_id": '$MEMBER_ROLE_ID', "access_level": 10}' "https://example.gitlab.com/api/v4/projects/$ID/members/$GUEST_USER_ID"
- Go the vulnerability page of the project (eg.
https://gdk.test:3443/flightjs/Flight/-/security/vulnerability_report
) - Click
Export
button in the top corner of the page and test you can create and download the export.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #399122 (closed)