Skip to content

Hide vulnerability dismiss buttons for users with developer role

Daniel Tian requested to merge 432487-hide-vulnerability-dismiss-buttons-for-developers into master

What does this MR do and why?

On the pipeline security tab, a vulnerability table is shown:
ksnip_20231205-164432

We recently changed the Developer role so that it can no longer admin vulnerabilities, where "admin vulnerabilities" means the ability to change the vulnerability status, most notably dismissing and undismissing it. This MR changes it so that the dismiss/undismiss actions are hidden when the user has permissions to see the report, but not admin it. It make the following changes:

  1. The table header no longer shows the "select all" checkbox, and each row no longer shows the bulk select checkbox:
Before After
ksnip_20231205-165500 ksnip_20231205-165515
  1. The finding modal no longer shows the Dismiss/Undo dismiss buttons:
Before After
ksnip_20231205-165645 ksnip_20231205-165700

How to set up and validate locally

  1. Enable the feature flag disable_developer_access_to_admin_vulnerability.
  2. Clone this project: https://gitlab.com/gitlab-examples/security/security-reports
  3. Run a pipeline against the master branch.
  4. Add a user to the project and assign them the Developer role.
  5. Impersonate or log in as the user and go to the pipeline details page. Click on the security tab.
  6. Verify that the table and finding modal does not show the dismiss actions.
  7. Log back in as the admin user. Change the user's role to Maintainer or Owner.
  8. Log back in as the user and verify that the table and finding modal show the dismiss actions.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #432487 (closed)

Edited by Daniel Tian

Merge request reports