Skip to content

Add ability to read_vulnerability to custom roles

Jarka Košanová requested to merge 399119-read-vuln-permissions into master

What does this MR do and why?

This MR re-introduces adding the read_vulnerability permission to Custom roles without the performance problem. It was reviewed by multiple people in the original MR, including database.

Why was the original MR reverted

Merging !114734 (merged) caused a performance problem.

The problem was in the scope MemberRole.elevating. We fixed this by moving the code under elevated_guests Feature Flag.

We have an issue to fix the performance problem.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

  1. Enable feature flag Feature.enable(:custom_roles_vulnerability)

  2. Creates a personal access token with the API scope.

  3. Pick a group with at least one project (project), pick a user who is member of this project (gues access level) - user

  4. Check if a user can access the vulnerability page of the project (eg. https://gdk.test:3443/flightjs/Flight/-/security/vulnerability_report), they should not be able to access it

  5. Create a custom role using the API: https://docs.gitlab.com/ee/api/member_roles.html#add-a-member-role-to-a-group

    • curl --request POST --header "Content-Type: application/json" --header "Authorization: Bearer $YOUR_ACCESS_TOKEN" --data '{"base_access_level" : 10, "read_vulnerability" : true}' "https://gdk.test:3443/api/v4/groups/$YOUR_GROUP_ID/member_roles"

    • You can also test with base_access_level = 10 which should not work (minimal base access level is reporter)

  6. Associates the member with the role using the Group and Project Members API endpoint

    • curl --request PUT --header "Content-Type: application/json" --header "Authorization: Bearer $YOUR_ACCESS_TOKEN" --data '{"member_role_id": '$MEMBER_ROLE_ID', "access_level": 10}' "https://example.gitlab.com/api/v4/projects/$ID/members/$GUEST_USER_ID"

  7. Check if a user can access the vulnerability page of the project (eg. https://gdk.test:3443/flightjs/Flight/-/security/vulnerability_report), they should be able to access it

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #399119 (closed)

Edited by Jarka Košanová

Merge request reports