Skip to content

Do not display bulk selection when user is auditor

Savas Vedova requested to merge 300994-auditor-user-can-bulk-select into master

What does this MR do?

Currently an auditor user is able to bulk select vulnerabilities and change their status. This operation is blocked by the backend because they do not have write permissions.

This MR hides the bulk selection from auditor users.

Screenshots (strongly suggested)

when user is not auditor when user is auditor
non-auditor-user auditor-user

Steps to reproduce

  1. Create a User from Admin Area > Users
  2. Give it an Auditor role
  3. Go to your Project > Members
  4. Add the auditor user (give them an access role like Developer)
  5. Go back to Admin Area > Users and choose the newly created user. Impersonate it.
  6. Visit the Vulnerability Report page in your project.

Steps to display vulnerabilities

  1. Fork https://gitlab.com/gitlab-examples/security/security-reports/
  2. Run the pipeline
  3. Visit the Vulnerability Report page
  4. Make sure to have an EE license.

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.

  • Label as security and @ mention @gitlab-com/gl-security/appsec
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team

Related to #300994 (closed)

Edited by Savas Vedova

Merge request reports

Loading