Prevent access to Dependency list via :read_vulnerability permission
What does this MR do and why?
This change resolves a bug that occurs when a user is a member of a custom role with the :read_vulnerability permission. This permission should provide access to the Vulnerability Report and Security Dashboard but it should not provide access to the Dependency list. The change in this MR refactors the Group Policy to prevent this unintended access.
https://docs.gitlab.com/ee/user/custom_roles/abilities.html#vulnerability-management
| role | provides |
|---|---|
| guest | |
| reporter | |
| auditor | :read_dependency, :read_vulnerability |
| developer | :read_dependency, :read_vulnerability |
| maintainer | :admin_vulnerability |
| permission | provides |
|---|---|
| admin_vulnerability | read_vulnerability |
| read_dependency | read_licenses |
| read_vulnerability | read_group_security_dashboard |
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
| Before | After |
|---|---|
 |
  
|
How to set up and validate locally
- Create a custom role with the
:read_dependencypermission enabled. - Assign the new role to a user.
- Login as the new user.
- Visit the group level dependency list associated with the group that the role was created for.
- Ensure that the current user cannot access this page.
Edited by mo khan