Security patch upgrade alert: Only expose to admins
What does this MR do and why?
Hotfix to only expose security patch upgrade alerts to admins
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Before | After |
---|---|
Admin | |
User (auditor role) | |
– |
How to set up and validate locally
- Check out an older version of GitLab (e.g. with tag
git checkout v17.4.2-ee
) or apply the following patch:diff --git a/app/helpers/version_check_helper.rb b/app/helpers/version_check_helper.rb index 895155e00d16..9ecf34aec422 100644 --- a/app/helpers/version_check_helper.rb +++ b/app/helpers/version_check_helper.rb @@ -19,7 +19,7 @@ def gitlab_version_check def show_security_patch_upgrade_alert? return false unless gitlab_version_check - Gitlab::Utils.to_boolean(gitlab_version_check['critical_vulnerability']) + true end def link_to_version
- Log in as a user with
auditor
access level, you shouldn't see the security patch alert - Log in as an admin, you should see the security patch alert
Related to #474922, https://gitlab.com/gitlab-org/gitlab/-/issues/498659
Edited by Sascha Eggenberger