Draft: Switch MR dismissal url checks to ability checks
What does this MR do and why?
Switch MR dismissal url checks to ability checks
In 2 contexts where we show 'Dismiss' buttons for vulnerabilities /
findings (the Pipeline -> Security tab and the Merge Request
Security Widget) the decision whether to show the 'Dismiss' button
is made based on the absence or presence of a URL on the
vulnerability data.
These URLs point to the deprecated
Projects::VulnerabilityFeedbackController.
The 'Dismiss' buttons no longer use this controller, they now
use GraphQL mutations.
Both of those mutations use the :admin_vulnerability permission to
authorize the user.
This changes pushes whether the user has the :admin_vulnerability
permission to the frontend and determines whether or not to show the
buttons based on this instead of the presence or absence of deprecated
URLs.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.