diff --git a/ee/app/policies/ee/group_policy.rb b/ee/app/policies/ee/group_policy.rb index b92c04524dc9e9652b59b49d083c319ab27bac01..e51a9dec012f98a397f988833665def3c029d994 100644 --- a/ee/app/policies/ee/group_policy.rb +++ b/ee/app/policies/ee/group_policy.rb @@ -247,6 +247,11 @@ module GroupPolicy Ability.allowed?(@user, :developer_access, security_orchestration_policy_configuration.security_policy_management_project) end + condition(:developer_access_to_admin_vulnerability) do + ::Feature.disabled?(:disable_developer_access_to_admin_vulnerability, subject) && + can?(:developer_access) + end + rule { user_banned_from_namespace }.prevent_all rule { public_group | logged_in_viewable }.policy do @@ -470,6 +475,9 @@ module GroupPolicy rule { security_dashboard_enabled & developer }.policy do enable :read_group_security_dashboard + end + + rule { security_dashboard_enabled & (can?(:maintainer_access) | developer_access_to_admin_vulnerability) }.policy do enable :admin_vulnerability end diff --git a/ee/app/policies/ee/project_policy.rb b/ee/app/policies/ee/project_policy.rb index 3ee7600382ada934b80833c00cbc0fa1eceb7862..6ff72a8180d60d4ffd423b902571fc00e24ecfcd 100644 --- a/ee/app/policies/ee/project_policy.rb +++ b/ee/app/policies/ee/project_policy.rb @@ -270,6 +270,11 @@ module ProjectPolicy ).has_ability? end + condition(:developer_access_to_admin_vulnerability) do + ::Feature.disabled?(:disable_developer_access_to_admin_vulnerability, subject&.group) && + can?(:developer_access) + end + with_scope :subject condition(:suggested_reviewers_available) do @subject.can_suggest_reviewers? @@ -449,7 +454,7 @@ module ProjectPolicy enable :read_vulnerability end - rule { can?(:read_security_resource) & can?(:developer_access) }.policy do + rule { can?(:read_security_resource) & (can?(:maintainer_access) | developer_access_to_admin_vulnerability) }.policy do enable :admin_vulnerability end diff --git a/ee/config/feature_flags/development/disable_developer_access_to_admin_vulnerability.yml b/ee/config/feature_flags/development/disable_developer_access_to_admin_vulnerability.yml new file mode 100644 index 0000000000000000000000000000000000000000..999fe673f5692fbf9b34e66c3c249b7b6b5cca12 --- /dev/null +++ b/ee/config/feature_flags/development/disable_developer_access_to_admin_vulnerability.yml @@ -0,0 +1,8 @@ +--- +name: disable_developer_access_to_admin_vulnerability +introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/134579 +rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/429122 +milestone: '16.6' +type: development +group: group::authorization +default_enabled: false diff --git a/ee/spec/controllers/projects/security/vulnerabilities_controller_spec.rb b/ee/spec/controllers/projects/security/vulnerabilities_controller_spec.rb index e0155e59547f4b99c4c49eb4cdb1e5c667bf8446..f1c7356bba6aafc49a6874e8a3ead9f55921ae6c 100644 --- a/ee/spec/controllers/projects/security/vulnerabilities_controller_spec.rb +++ b/ee/spec/controllers/projects/security/vulnerabilities_controller_spec.rb @@ -10,7 +10,7 @@ render_views before do - group.add_developer(user) + group.add_maintainer(user) stub_licensed_features(security_dashboard: true) sign_in(user) end diff --git a/ee/spec/features/projects/security/vulnerability_report_spec.rb b/ee/spec/features/projects/security/vulnerability_report_spec.rb index 4d71ecb66992344cd5d5d6bd33517ef977ebc4ec..4278f3189581cc6fa9fe984214cab6c01fa46f03 100644 --- a/ee/spec/features/projects/security/vulnerability_report_spec.rb +++ b/ee/spec/features/projects/security/vulnerability_report_spec.rb @@ -61,7 +61,7 @@ security_dashboard: true, sast: true ) - project.add_developer(user) + project.add_maintainer(user) sign_in(user) end diff --git a/ee/spec/graphql/mutations/security/finding/create_merge_request_spec.rb b/ee/spec/graphql/mutations/security/finding/create_merge_request_spec.rb index 3fdcc237dd228be09ee7edaa19fc628bdcef00ef..43e1ed22a741a1fbde7d741bfb933f4493bf9ee2 100644 --- a/ee/spec/graphql/mutations/security/finding/create_merge_request_spec.rb +++ b/ee/spec/graphql/mutations/security/finding/create_merge_request_spec.rb @@ -124,10 +124,18 @@ project.add_developer(current_user) end - it 'returns an error' do - response = execute - expect(response[:errors]).not_to be_empty - expect(response[:merge_request]).to be_blank + it { expect { execute }.to raise_error(Gitlab::Graphql::Errors::ResourceNotAvailable) } + + context 'with `disable_developer_access_to_admin_vulnerability` disabled' do + before do + stub_feature_flags(disable_developer_access_to_admin_vulnerability: false) + end + + it 'returns an error' do + response = execute + expect(response[:errors]).not_to be_empty + expect(response[:merge_request]).to be_blank + end end end end diff --git a/ee/spec/graphql/mutations/security/finding/dismiss_spec.rb b/ee/spec/graphql/mutations/security/finding/dismiss_spec.rb index 8dcf3ede0a902befd347886e3c320e3837f0cb34..aba11e277607c3c9805c4feb5087553d0c3d051c 100644 --- a/ee/spec/graphql/mutations/security/finding/dismiss_spec.rb +++ b/ee/spec/graphql/mutations/security/finding/dismiss_spec.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true require 'spec_helper' -RSpec.describe Mutations::Security::Finding::Dismiss do +RSpec.describe Mutations::Security::Finding::Dismiss, feature_category: :vulnerability_management do include GraphqlHelpers let(:mutation) { described_class.new(object: nil, context: { current_user: user }, field: nil) } @@ -38,7 +38,7 @@ context 'when the user has access to the project' do before do - security_finding.project.add_developer(user) + security_finding.project.add_maintainer(user) end context 'when the dismissal is successful' do diff --git a/ee/spec/graphql/mutations/vulnerabilities/bulk_dismiss_spec.rb b/ee/spec/graphql/mutations/vulnerabilities/bulk_dismiss_spec.rb index a29202062a5cd4172094015248cc8e1ffd8decdc..a70fac66a5cb0b6deb12772ea067db69243a9148 100644 --- a/ee/spec/graphql/mutations/vulnerabilities/bulk_dismiss_spec.rb +++ b/ee/spec/graphql/mutations/vulnerabilities/bulk_dismiss_spec.rb @@ -19,7 +19,7 @@ end before_all do - project.add_developer(user) + project.add_maintainer(user) end subject do diff --git a/ee/spec/graphql/mutations/vulnerabilities/confirm_spec.rb b/ee/spec/graphql/mutations/vulnerabilities/confirm_spec.rb index 4f2cd7833af68f3e771420e830039055a903af4d..2a861b1348e82958cb6ed20feba39f5c5972637b 100644 --- a/ee/spec/graphql/mutations/vulnerabilities/confirm_spec.rb +++ b/ee/spec/graphql/mutations/vulnerabilities/confirm_spec.rb @@ -34,7 +34,7 @@ context 'when user has access to the project', :aggregate_failures do before do - vulnerability.project.add_developer(user) + vulnerability.project.add_maintainer(user) end context 'when comment is not provided' do diff --git a/ee/spec/graphql/mutations/vulnerabilities/create_external_issue_link_spec.rb b/ee/spec/graphql/mutations/vulnerabilities/create_external_issue_link_spec.rb index c544b3de51237a7311721d37d0d26b83248c9ac9..d88a4095a357e6b790a07c9aab9a10d4d4dda145 100644 --- a/ee/spec/graphql/mutations/vulnerabilities/create_external_issue_link_spec.rb +++ b/ee/spec/graphql/mutations/vulnerabilities/create_external_issue_link_spec.rb @@ -24,7 +24,7 @@ context 'when user has access to the project' do before do - vulnerability.project.add_developer(user) + vulnerability.project.add_maintainer(user) allow_next_instance_of(::VulnerabilityExternalIssueLinks::CreateService) do |create_service| allow(create_service).to receive(:execute).and_return(result) end diff --git a/ee/spec/graphql/mutations/vulnerabilities/create_spec.rb b/ee/spec/graphql/mutations/vulnerabilities/create_spec.rb index 744812c4a39abcd9228ea9da9e9362efe51ab07c..509a286136ca5f7f6238d7078f0f5947634ec3b8 100644 --- a/ee/spec/graphql/mutations/vulnerabilities/create_spec.rb +++ b/ee/spec/graphql/mutations/vulnerabilities/create_spec.rb @@ -4,7 +4,7 @@ RSpec.describe Mutations::Vulnerabilities::Create, feature_category: :vulnerability_management do include GraphqlHelpers let_it_be_with_reload(:project) { create(:project) } - let_it_be(:user) { create(:user).tap { |user| project.add_developer(user) } } + let_it_be(:user) { create(:user).tap { |user| project.add_maintainer(user) } } let(:mutated_vulnerability) { subject[:vulnerability] } diff --git a/ee/spec/graphql/mutations/vulnerabilities/dismiss_spec.rb b/ee/spec/graphql/mutations/vulnerabilities/dismiss_spec.rb index 12df1b8831c2a7c0264b26e46e22d07218f3d085..c223c2a6c106c15de8b6c6dbf56cbfafe989ddfa 100644 --- a/ee/spec/graphql/mutations/vulnerabilities/dismiss_spec.rb +++ b/ee/spec/graphql/mutations/vulnerabilities/dismiss_spec.rb @@ -29,7 +29,7 @@ context 'when user has access to the project' do before do - vulnerability.project.add_developer(user) + vulnerability.project.add_maintainer(user) end it 'returns the dismissed vulnerability' do diff --git a/ee/spec/graphql/mutations/vulnerabilities/resolve_spec.rb b/ee/spec/graphql/mutations/vulnerabilities/resolve_spec.rb index 71c18e446c8c2ec3422fa16a211b27b5721cb083..6c2260e2e908a4582cf09ab86fa4ad7bac1df242 100644 --- a/ee/spec/graphql/mutations/vulnerabilities/resolve_spec.rb +++ b/ee/spec/graphql/mutations/vulnerabilities/resolve_spec.rb @@ -27,7 +27,7 @@ context 'when user has access to the project', :aggregate_failures do before do - vulnerability.project.add_developer(user) + vulnerability.project.add_maintainer(user) end it 'returns the resolved vulnerability' do diff --git a/ee/spec/graphql/mutations/vulnerabilities/revert_to_detected_spec.rb b/ee/spec/graphql/mutations/vulnerabilities/revert_to_detected_spec.rb index 442253dc85fd30d91c00ae5b9ab708406f2afc29..010a930ec01059b43ac3b2ea8c84ab493191d9d1 100644 --- a/ee/spec/graphql/mutations/vulnerabilities/revert_to_detected_spec.rb +++ b/ee/spec/graphql/mutations/vulnerabilities/revert_to_detected_spec.rb @@ -35,7 +35,7 @@ context 'when user has access to the project' do before do - vulnerability.project.add_developer(user) + vulnerability.project.add_maintainer(user) end context 'and no comment is provided' do diff --git a/ee/spec/helpers/security_helper_spec.rb b/ee/spec/helpers/security_helper_spec.rb index d824bc9e90040606ebe4063f07a6c40c2e0bd392..b61702187e8acec1e98e3d342bf2fbbe852d2a21 100644 --- a/ee/spec/helpers/security_helper_spec.rb +++ b/ee/spec/helpers/security_helper_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' -RSpec.describe SecurityHelper do +RSpec.describe SecurityHelper, feature_category: :vulnerability_management do describe '#instance_security_dashboard_data' do let_it_be(:group) { create(:group) } let_it_be(:has_group) { true } diff --git a/ee/spec/helpers/vulnerabilities_helper_spec.rb b/ee/spec/helpers/vulnerabilities_helper_spec.rb index 7c705ff612ddf8f96c8028aa3d667770c20bbc27..d0a5dcb7e06d2613d596c027b159db9b1f442836 100644 --- a/ee/spec/helpers/vulnerabilities_helper_spec.rb +++ b/ee/spec/helpers/vulnerabilities_helper_spec.rb @@ -104,7 +104,7 @@ context 'when user can manage related issues' do before do - project.add_developer(user) + project.add_maintainer(user) end it { is_expected.to include(can_modify_related_issues: true) } @@ -132,7 +132,7 @@ context 'when user can admin vulnerabilities' do before do - project.add_developer(user) + project.add_maintainer(user) end it { is_expected.to include(can_admin: true) } diff --git a/ee/spec/policies/group_policy_spec.rb b/ee/spec/policies/group_policy_spec.rb index ab9ed2b70e286147ad6dfa9f9780626418e6dd3b..611f416ba6b63533e16941254fea0ef543df8503 100644 --- a/ee/spec/policies/group_policy_spec.rb +++ b/ee/spec/policies/group_policy_spec.rb @@ -1505,7 +1505,15 @@ def stub_group_saml_config(enabled) context 'with developer' do let(:current_user) { developer } - it { is_expected.to be_allowed(:admin_vulnerability) } + it { is_expected.to be_disallowed(:admin_vulnerability) } + + context 'with `disable_developer_access_to_admin_vulnerability` disabled' do + before do + stub_feature_flags(disable_developer_access_to_admin_vulnerability: false) + end + + it { is_expected.to be_allowed(:admin_vulnerability) } + end end context 'with maintainer' do @@ -1520,6 +1528,12 @@ def stub_group_saml_config(enabled) it { is_expected.to be_allowed(:admin_vulnerability) } end + context 'with admin', :enable_admin_mode do + let(:current_user) { admin } + + it { is_expected.to be_allowed(:admin_vulnerability) } + end + context 'with auditor' do let(:current_user) { auditor } @@ -1540,7 +1554,15 @@ def stub_group_saml_config(enabled) group.add_developer(auditor) end - it { is_expected.to be_allowed(:admin_vulnerability) } + it { is_expected.to be_disallowed(:admin_vulnerability) } + + context 'with `disable_developer_access_to_admin_vulnerability` disabled' do + before do + stub_feature_flags(disable_developer_access_to_admin_vulnerability: false) + end + + it { is_expected.to be_allowed(:admin_vulnerability) } + end end end end diff --git a/ee/spec/policies/project_policy_spec.rb b/ee/spec/policies/project_policy_spec.rb index 534112338d1dd926f31239d55038c362388b2b17..a63a038d9386cf98f3300d19c5dc023cb8dd74ca 100644 --- a/ee/spec/policies/project_policy_spec.rb +++ b/ee/spec/policies/project_policy_spec.rb @@ -2340,8 +2340,8 @@ def expect_private_project_permissions_as_if_non_member end describe 'inviting a group' do - let(:current_user) { developer } - let(:project) { public_project } + let_it_be_with_reload(:current_user) { developer } + let_it_be_with_reload(:project) { public_project } let_it_be(:banned_group) { create(:group) } let_it_be(:banned_subgroup) { create(:group, parent: banned_group) } @@ -3117,6 +3117,50 @@ def create_member_role(member, abilities = member_role_abilities) end end + describe "#admin_vulnerability" do + before do + stub_licensed_features(security_dashboard: true) + end + + context "with guest" do + let(:current_user) { guest } + + it { is_expected.to be_disallowed(:admin_vulnerability) } + end + + context "with reporter" do + let(:current_user) { reporter } + + it { is_expected.to be_disallowed(:admin_vulnerability) } + end + + context "with developer" do + let(:current_user) { developer } + + it { is_expected.to be_disallowed(:admin_vulnerability) } + + context "with `disable_developer_access_to_admin_vulnerability` disabled" do + before do + stub_feature_flags(disable_developer_access_to_admin_vulnerability: false) + end + + it { is_expected.to be_allowed(:admin_vulnerability) } + end + end + + context "with maintainer" do + let(:current_user) { maintainer } + + it { is_expected.to be_allowed(:admin_vulnerability) } + end + + context "with owner" do + let(:current_user) { owner } + + it { is_expected.to be_allowed(:admin_vulnerability) } + end + end + describe 'read_observability_metrics policy' do let(:current_user) { reporter } diff --git a/ee/spec/requests/api/graphql/mutations/security/finding/create_issue_spec.rb b/ee/spec/requests/api/graphql/mutations/security/finding/create_issue_spec.rb index a9c2cd4e5de6ca95a2016c25f0b12c9539214f45..7b4f0730f789983f2083673f360ceaa3f6c06c36 100644 --- a/ee/spec/requests/api/graphql/mutations/security/finding/create_issue_spec.rb +++ b/ee/spec/requests/api/graphql/mutations/security/finding/create_issue_spec.rb @@ -62,7 +62,7 @@ context 'when the user has permission' do before do - project.add_developer(current_user) + project.add_maintainer(current_user) end context 'with valid parameters' do diff --git a/ee/spec/requests/api/graphql/mutations/security/finding/revert_to_detected_spec.rb b/ee/spec/requests/api/graphql/mutations/security/finding/revert_to_detected_spec.rb index 83cc2ca82f43cf3c1baa6c9bf7dd68a01a658198..3082b37abc1e4893793a3a4d116917bcbf2fed33 100644 --- a/ee/spec/requests/api/graphql/mutations/security/finding/revert_to_detected_spec.rb +++ b/ee/spec/requests/api/graphql/mutations/security/finding/revert_to_detected_spec.rb @@ -68,7 +68,7 @@ end before do - security_finding.project.add_developer(current_user) + security_finding.project.add_maintainer(current_user) end shared_examples 'properly sets the security finding state' do diff --git a/ee/spec/requests/api/graphql/mutations/vulnerabilities/bulk_dismiss_spec.rb b/ee/spec/requests/api/graphql/mutations/vulnerabilities/bulk_dismiss_spec.rb index 61103843be911889f42054538f06b464d0cd6350..e7e5929243cf9900a59e69a99ccf7d47778c27fd 100644 --- a/ee/spec/requests/api/graphql/mutations/vulnerabilities/bulk_dismiss_spec.rb +++ b/ee/spec/requests/api/graphql/mutations/vulnerabilities/bulk_dismiss_spec.rb @@ -34,7 +34,7 @@ def mutation_response context "when the user has access" do before_all do - project.add_developer(current_user) + project.add_maintainer(current_user) end context "when security_dashboard is disabled" do diff --git a/ee/spec/requests/api/graphql/mutations/vulnerabilities/create_external_issue_link_spec.rb b/ee/spec/requests/api/graphql/mutations/vulnerabilities/create_external_issue_link_spec.rb index 488e0a6aee4a497eef07a0c06202a1dbc813d8e6..eb2ac7fc47b06d904c5687b8449ccbb5e1c6f40e 100644 --- a/ee/spec/requests/api/graphql/mutations/vulnerabilities/create_external_issue_link_spec.rb +++ b/ee/spec/requests/api/graphql/mutations/vulnerabilities/create_external_issue_link_spec.rb @@ -36,7 +36,7 @@ def mutation_response context 'when the user has permission' do before do - vulnerability.project.add_developer(current_user) + vulnerability.project.add_maintainer(current_user) end context 'when security_dashboard is disabled' do diff --git a/ee/spec/requests/api/vulnerabilities_spec.rb b/ee/spec/requests/api/vulnerabilities_spec.rb index 2e306cb4628e47c8c9a74757ca099069ba51e790..879e9f5aafc6443c7d03ea8798b2ae47fadc9341 100644 --- a/ee/spec/requests/api/vulnerabilities_spec.rb +++ b/ee/spec/requests/api/vulnerabilities_spec.rb @@ -21,7 +21,7 @@ context 'with an authorized user with proper permissions' do before do - project.add_developer(user) + project.add_maintainer(user) end it 'returns all vulnerabilities of a project', :aggregate_failures do @@ -72,7 +72,7 @@ context 'with an authorized user with proper permissions' do before do - project.add_developer(user) + project.add_maintainer(user) end it 'returns the desired vulnerability', :aggregate_failures do @@ -119,7 +119,7 @@ context 'with an authorized user with proper permissions' do before do - project.add_developer(user) + project.add_maintainer(user) end it 'creates a vulnerability from finding and attaches it to the vulnerability', :aggregate_failures do @@ -171,12 +171,20 @@ it { expect { create_vulnerability }.to be_allowed_for(:admin) } it { expect { create_vulnerability }.to be_allowed_for(:owner).of(project) } it { expect { create_vulnerability }.to be_allowed_for(:maintainer).of(project) } - it { expect { create_vulnerability }.to be_allowed_for(:developer).of(project) } + it { expect { create_vulnerability }.to be_denied_for(:developer).of(project) } it { expect { create_vulnerability }.to be_denied_for(:auditor) } it { expect { create_vulnerability }.to be_denied_for(:reporter).of(project) } it { expect { create_vulnerability }.to be_denied_for(:guest).of(project) } it { expect { create_vulnerability }.to be_denied_for(:anonymous) } + + context 'with `disable_developer_access_to_admin_vulnerability` disabled' do + before do + stub_feature_flags(disable_developer_access_to_admin_vulnerability: false) + end + + it { expect { create_vulnerability }.to be_allowed_for(:developer).of(project) } + end end end @@ -194,7 +202,7 @@ context 'with an authorized user with proper permissions' do before do - project.add_developer(user) + project.add_maintainer(user) end it_behaves_like 'responds with "not found" for an unknown vulnerability ID' @@ -246,12 +254,20 @@ it { expect { dismiss_vulnerability }.to be_allowed_for(:admin) } it { expect { dismiss_vulnerability }.to be_allowed_for(:owner).of(project) } it { expect { dismiss_vulnerability }.to be_allowed_for(:maintainer).of(project) } - it { expect { dismiss_vulnerability }.to be_allowed_for(:developer).of(project) } + it { expect { dismiss_vulnerability }.to be_denied_for(:developer).of(project) } it { expect { dismiss_vulnerability }.to be_denied_for(:auditor) } it { expect { dismiss_vulnerability }.to be_denied_for(:reporter).of(project) } it { expect { dismiss_vulnerability }.to be_denied_for(:guest).of(project) } it { expect { dismiss_vulnerability }.to be_denied_for(:anonymous) } + + context 'with `disable_developer_access_to_admin_vulnerability` disabled' do + before do + stub_feature_flags(disable_developer_access_to_admin_vulnerability: false) + end + + it { expect { dismiss_vulnerability }.to be_allowed_for(:developer).of(project) } + end end end @@ -269,7 +285,7 @@ context 'with an authorized user with proper permissions' do before do - project.add_developer(user) + project.add_maintainer(user) end it 'resolves a vulnerability and its associated findings', :freeze_time, :aggregate_failures do @@ -319,12 +335,20 @@ it { expect { resolve_vulnerability }.to be_allowed_for(:admin) } it { expect { resolve_vulnerability }.to be_allowed_for(:owner).of(project) } it { expect { resolve_vulnerability }.to be_allowed_for(:maintainer).of(project) } - it { expect { resolve_vulnerability }.to be_allowed_for(:developer).of(project) } + it { expect { resolve_vulnerability }.to be_denied_for(:developer).of(project) } it { expect { resolve_vulnerability }.to be_denied_for(:auditor) } it { expect { resolve_vulnerability }.to be_denied_for(:reporter).of(project) } it { expect { resolve_vulnerability }.to be_denied_for(:guest).of(project) } it { expect { resolve_vulnerability }.to be_denied_for(:anonymous) } + + context 'with `disable_developer_access_to_admin_vulnerability` disabled' do + before do + stub_feature_flags(disable_developer_access_to_admin_vulnerability: false) + end + + it { expect { resolve_vulnerability }.to be_allowed_for(:developer).of(project) } + end end end @@ -347,7 +371,7 @@ context 'with an authorized user with proper permissions' do before do - project.add_developer(user) + project.add_maintainer(user) end it 'confirms a vulnerability and its associated findings', :freeze_time, :aggregate_failures do @@ -381,12 +405,20 @@ it { expect { confirm_vulnerability }.to be_allowed_for(:admin) } it { expect { confirm_vulnerability }.to be_allowed_for(:owner).of(project) } it { expect { confirm_vulnerability }.to be_allowed_for(:maintainer).of(project) } - it { expect { confirm_vulnerability }.to be_allowed_for(:developer).of(project) } + it { expect { confirm_vulnerability }.to be_denied_for(:developer).of(project) } it { expect { confirm_vulnerability }.to be_denied_for(:auditor) } it { expect { confirm_vulnerability }.to be_denied_for(:reporter).of(project) } it { expect { confirm_vulnerability }.to be_denied_for(:guest).of(project) } it { expect { confirm_vulnerability }.to be_denied_for(:anonymous) } + + context 'with `disable_developer_access_to_admin_vulnerability` disabled' do + before do + stub_feature_flags(disable_developer_access_to_admin_vulnerability: false) + end + + it { expect { confirm_vulnerability }.to be_allowed_for(:developer).of(project) } + end end end @@ -409,7 +441,7 @@ context 'with an authorized user with proper permissions' do before do - project.add_developer(user) + project.add_maintainer(user) end it 'reverts a vulnerability and its associated findings to detected state', :freeze_time, :aggregate_failures do @@ -473,12 +505,20 @@ it { expect { revert_vulnerability_to_detected }.to be_allowed_for(:admin) } it { expect { revert_vulnerability_to_detected }.to be_allowed_for(:owner).of(project) } it { expect { revert_vulnerability_to_detected }.to be_allowed_for(:maintainer).of(project) } - it { expect { revert_vulnerability_to_detected }.to be_allowed_for(:developer).of(project) } + it { expect { revert_vulnerability_to_detected }.to be_denied_for(:developer).of(project) } it { expect { revert_vulnerability_to_detected }.to be_denied_for(:auditor) } it { expect { revert_vulnerability_to_detected }.to be_denied_for(:reporter).of(project) } it { expect { revert_vulnerability_to_detected }.to be_denied_for(:guest).of(project) } it { expect { revert_vulnerability_to_detected }.to be_denied_for(:anonymous) } + + context 'with `disable_developer_access_to_admin_vulnerability` disabled' do + before do + stub_feature_flags(disable_developer_access_to_admin_vulnerability: false) + end + + it { expect { revert_vulnerability_to_detected }.to be_allowed_for(:developer).of(project) } + end end end end diff --git a/ee/spec/requests/custom_roles/admin_vulnerability/request_spec.rb b/ee/spec/requests/custom_roles/admin_vulnerability/request_spec.rb index 4e834dbe6e4ed3f5f0e71bd40b20bc9819e85631..b300f7d477de2b47808f4ba2b0672a6ebe5e0ab3 100644 --- a/ee/spec/requests/custom_roles/admin_vulnerability/request_spec.rb +++ b/ee/spec/requests/custom_roles/admin_vulnerability/request_spec.rb @@ -29,6 +29,119 @@ end end + describe Mutations::Security::Finding::CreateIssue do + include GraphqlHelpers + + pending "has access via a custom role" do + post_graphql_mutation(graphql_mutation(:security_finding_create_issue, { + project: project.to_global_id.to_s, + uuid: SecureRandom.uuid + }), current_user: user) + + expect(response).to have_gitlab_http_status(:success) + mutation_response = graphql_mutation_response(:security_finding_create_issue) + expect(mutation_response).to be_present + expect(mutation_response['errors']).to be_empty + end + end + + describe Mutations::Security::Finding::CreateMergeRequest do + include GraphqlHelpers + + pending "has access via a custom role" do + post_graphql_mutation(graphql_mutation(:security_finding_create_merge_request, { + uuid: SecureRandom.uuid + }), current_user: user) + + expect(response).to have_gitlab_http_status(:success) + mutation_response = graphql_mutation_response(:security_finding_create_merge_request) + expect(mutation_response).to be_present + expect(mutation_response['errors']).to be_empty + end + end + + describe Mutations::Security::Finding::Dismiss do + include GraphqlHelpers + + let_it_be(:pipeline) { create(:ee_ci_pipeline, project: project) } + let_it_be(:build) { create(:ci_build, :success, project: project, pipeline: pipeline) } + let_it_be(:scan) { create(:security_scan, build: build) } + let_it_be(:security_finding) do + create(:security_finding, :with_finding_data, scan: scan, remediation_byte_offsets: [{ + "start_byte" => 0, + "end_byte" => 1 + }]) + end + + pending "has access via a custom role" do + post_graphql_mutation(graphql_mutation(:security_finding_dismiss, { + uuid: security_finding.uuid, + comment: "dismissal feedback", + dismissal_reason: "USED_IN_TESTS" + }), current_user: user) + + expect(response).to have_gitlab_http_status(:success) + mutation_response = graphql_mutation_response(:security_finding_dismiss) + expect(mutation_response).to be_present + expect(mutation_response["securityFinding"]).to be_present + expect(mutation_response["errors"]).to be_empty + end + end + + describe Mutations::Security::Finding::RevertToDetected do + include GraphqlHelpers + + pending "has access via a custom role" do + post_graphql_mutation(graphql_mutation(:security_finding_revert_to_detected, { + uuid: SecureRandom.uuid + }), current_user: user) + + expect(response).to have_gitlab_http_status(:success) + mutation_response = graphql_mutation_response(:security_finding_revert_to_detected) + expect(mutation_response).to be_present + expect(mutation_response['errors']).to be_empty + end + end + + describe Mutations::Vulnerabilities::BulkDismiss do + include GraphqlHelpers + + let_it_be(:vulnerability) { create(:vulnerability, :with_findings, project: project) } + + it "has access via a custom role" do + post_graphql_mutation(graphql_mutation(:vulnerabilities_dismiss, { + vulnerability_ids: [vulnerability.to_global_id.to_s], + comment: 'Dismissal Feedback', + dismissal_reason: 'USED_IN_TESTS' + }), current_user: user) + + expect(response).to have_gitlab_http_status(:success) + mutation_response = graphql_mutation_response(:vulnerabilities_dismiss) + expect(mutation_response).to be_present + expect(mutation_response["vulnerabilities"]).to be_present + expect(mutation_response["errors"]).to be_empty + end + end + + describe Mutations::Vulnerabilities::Confirm do + include GraphqlHelpers + + let_it_be(:vulnerability) { create(:vulnerability, :with_findings, project: project) } + + it "has access via a custom role" do + post_graphql_mutation(graphql_mutation(:vulnerability_confirm, { + id: vulnerability.to_global_id.to_s, + comment: "A comment" + }), current_user: user) + + expect(response).to have_gitlab_http_status(:success) + mutation_response = graphql_mutation_response(:vulnerability_confirm) + expect(mutation_response).to be_present + expect(mutation_response["vulnerability"]).to be_present + expect(mutation_response["errors"]).to be_empty + end + end + describe Mutations::Vulnerabilities::Create do include GraphqlHelpers @@ -57,6 +170,123 @@ expect(response).to have_gitlab_http_status(:success) mutation_response = graphql_mutation_response(:vulnerability_create) + expect(mutation_response).to be_present + expect(mutation_response["vulnerability"]).to be_present + expect(mutation_response["errors"]).to be_empty + end + end + + describe Mutations::Vulnerabilities::CreateExternalIssueLink do + include GraphqlHelpers + + let_it_be(:vulnerability) { create(:vulnerability, project: project) } + + pending "has access via a custom role" do + post_graphql_mutation(graphql_mutation(:vulnerability_external_issue_link_create, { + id: vulnerability.to_global_id.to_s, + link_type: 'CREATED', + external_tracker: 'JIRA' + }), current_user: user) + + expect(response).to have_gitlab_http_status(:success) + mutation_response = graphql_mutation_response(:vulnerability_external_issue_link_create) + expect(mutation_response).to be_present + expect(mutation_response["externalIssueLink"]).to be_present + expect(mutation_response["errors"]).to be_empty + end + end + + describe Mutations::Vulnerabilities::CreateIssueLink do + include GraphqlHelpers + + let_it_be(:issue) { create(:issue, project: project) } + let_it_be(:vulnerability) { create(:vulnerability, project: project) } + + it "has access via a custom role" do + post_graphql_mutation(graphql_mutation(:vulnerability_issue_link_create, { + issue_id: issue.to_global_id.to_s, + vulnerability_ids: [vulnerability.to_global_id.to_s] + }), current_user: user) + + expect(response).to have_gitlab_http_status(:success) + mutation_response = graphql_mutation_response(:vulnerability_issue_link_create) + expect(mutation_response).to be_present + expect(mutation_response["issueLinks"]).to be_present + expect(mutation_response["errors"]).to be_empty + end + end + + describe Mutations::Vulnerabilities::DestroyExternalIssueLink do + include GraphqlHelpers + + let_it_be(:vulnerability) { create(:vulnerability, project: project) } + let_it_be(:external_issue_link) { create(:vulnerabilities_external_issue_link, vulnerability: vulnerability) } + + it "has access via a custom role" do + post_graphql_mutation(graphql_mutation(:vulnerability_external_issue_link_destroy, { + id: external_issue_link.to_global_id.to_s + }), current_user: user) + + expect(response).to have_gitlab_http_status(:success) + mutation_response = graphql_mutation_response(:vulnerability_external_issue_link_destroy) + expect(mutation_response).to be_present + expect(mutation_response["errors"]).to be_empty + end + end + + describe Mutations::Vulnerabilities::Dismiss do + include GraphqlHelpers + + let_it_be(:vulnerability) { create(:vulnerability, :with_findings, project: project) } + + pending "has access via a custom role" do + post_graphql_mutation(graphql_mutation(:vulnerability_dismiss, { + id: vulnerability.to_global_id.to_s, + comment: "comment", + dismissal_reason: "USED_IN_TESTS" + }), current_user: user) + + expect(response).to have_gitlab_http_status(:success) + mutation_response = graphql_mutation_response(:vulnerability_dismiss) + expect(mutation_response).to be_present + expect(mutation_response["vulnerability"]).to be_present + expect(mutation_response["errors"]).to be_empty + end + end + + describe Mutations::Vulnerabilities::Resolve do + include GraphqlHelpers + + let_it_be(:vulnerability) { create(:vulnerability, :with_findings, project: project) } + + it "has access via a custom role" do + post_graphql_mutation(graphql_mutation(:vulnerability_resolve, { + id: vulnerability.to_global_id.to_s, + comment: "resolved" + }), current_user: user) + + expect(response).to have_gitlab_http_status(:success) + mutation_response = graphql_mutation_response(:vulnerability_resolve) + expect(mutation_response).to be_present + expect(mutation_response["vulnerability"]).to be_present + expect(mutation_response["errors"]).to be_empty + end + end + + describe Mutations::Vulnerabilities::RevertToDetected do + include GraphqlHelpers + + let_it_be(:vulnerability) { create(:vulnerability, :dismissed, :with_findings, project: project) } + + it "has access via a custom role" do + post_graphql_mutation(graphql_mutation(:vulnerability_revert_to_detected, { + id: vulnerability.to_global_id.to_s, + comment: "comment" + }), current_user: user) + + expect(response).to have_gitlab_http_status(:success) + mutation_response = graphql_mutation_response(:vulnerability_revert_to_detected) + expect(mutation_response).to be_present expect(mutation_response["vulnerability"]).to be_present expect(mutation_response["errors"]).to be_empty end diff --git a/ee/spec/services/security/findings/dismiss_service_spec.rb b/ee/spec/services/security/findings/dismiss_service_spec.rb index 5282f056deb01c177b263c9cde1b40e60051d894..7c8b0c205916334bc9df3ca7c830380a2c8b51a5 100644 --- a/ee/spec/services/security/findings/dismiss_service_spec.rb +++ b/ee/spec/services/security/findings/dismiss_service_spec.rb @@ -21,7 +21,7 @@ describe '#execute' do context 'when the user is authorized' do before do - finding.project.add_developer(user) + finding.project.add_maintainer(user) end context 'when comment is added' do diff --git a/ee/spec/services/vulnerabilities/bulk_dismiss_service_spec.rb b/ee/spec/services/vulnerabilities/bulk_dismiss_service_spec.rb index b429c209e634570880099c110a5eedd9f11e2d9d..22f660cb9cdd458a6923ba1dc06d312c1cc9dd84 100644 --- a/ee/spec/services/vulnerabilities/bulk_dismiss_service_spec.rb +++ b/ee/spec/services/vulnerabilities/bulk_dismiss_service_spec.rb @@ -14,7 +14,7 @@ describe '#execute' do before_all do - project.add_developer(user) + project.add_maintainer(user) end before do diff --git a/ee/spec/services/vulnerabilities/confirm_service_spec.rb b/ee/spec/services/vulnerabilities/confirm_service_spec.rb index 1122d18b30889bf83800e0c2379bc5b9825a7f72..e97d0d69a61629ce0b20ae2e8d88ef976396c90d 100644 --- a/ee/spec/services/vulnerabilities/confirm_service_spec.rb +++ b/ee/spec/services/vulnerabilities/confirm_service_spec.rb @@ -22,7 +22,7 @@ context 'with an authorized user with proper permissions' do before do - project.add_developer(user) + project.add_maintainer(user) end context 'when vulnerability state is different from the requested state' do @@ -92,11 +92,19 @@ it { expect { confirm_vulnerability }.to be_allowed_for(:owner).of(project) } it { expect { confirm_vulnerability }.to be_allowed_for(:maintainer).of(project) } - it { expect { confirm_vulnerability }.to be_allowed_for(:developer).of(project) } + it { expect { confirm_vulnerability }.to be_denied_for(:developer).of(project) } it { expect { confirm_vulnerability }.to be_denied_for(:auditor) } it { expect { confirm_vulnerability }.to be_denied_for(:reporter).of(project) } it { expect { confirm_vulnerability }.to be_denied_for(:guest).of(project) } it { expect { confirm_vulnerability }.to be_denied_for(:anonymous) } + + context 'with `disable_developer_access_to_admin_vulnerability` disabled' do + before do + stub_feature_flags(disable_developer_access_to_admin_vulnerability: false) + end + + it { expect { confirm_vulnerability }.to be_allowed_for(:developer).of(project) } + end end end diff --git a/ee/spec/services/vulnerabilities/create_service_spec.rb b/ee/spec/services/vulnerabilities/create_service_spec.rb index c95b610586b7f094768fc4909420632ab6c2ae3b..ca7ac0096f0dd458523d6aa48cc85f9e38a040c6 100644 --- a/ee/spec/services/vulnerabilities/create_service_spec.rb +++ b/ee/spec/services/vulnerabilities/create_service_spec.rb @@ -55,7 +55,7 @@ context 'with an authorized user with proper permissions' do before do - project.add_developer(user) + project.add_maintainer(user) end it_behaves_like 'calls Vulnerabilities::Statistics::UpdateService' diff --git a/ee/spec/services/vulnerabilities/dismiss_service_spec.rb b/ee/spec/services/vulnerabilities/dismiss_service_spec.rb index 25891b355addd52036ba7a948b10915ce5480cce..6199e81b8629d7ae0fe646ec676aabb06b692c87 100644 --- a/ee/spec/services/vulnerabilities/dismiss_service_spec.rb +++ b/ee/spec/services/vulnerabilities/dismiss_service_spec.rb @@ -61,7 +61,7 @@ context 'when vulnerability state is different from the requested state' do context 'with an authorized user with proper permissions' do before do - project.add_developer(user) + project.add_maintainer(user) end it_behaves_like 'calls vulnerability statistics utility services in order' @@ -168,7 +168,7 @@ let(:vulnerability) { create(:vulnerability, :with_state_transition, :dismissed, project: project, to_state: :dismissed) } before do - project.add_developer(user) + project.add_maintainer(user) end it { expect { dismiss_vulnerability }.not_to raise_error } @@ -203,11 +203,19 @@ it { expect { dismiss_vulnerability }.to be_allowed_for(:owner).of(project) } it { expect { dismiss_vulnerability }.to be_allowed_for(:maintainer).of(project) } - it { expect { dismiss_vulnerability }.to be_allowed_for(:developer).of(project) } + it { expect { dismiss_vulnerability }.to be_denied_for(:developer).of(project) } it { expect { dismiss_vulnerability }.to be_denied_for(:auditor) } it { expect { dismiss_vulnerability }.to be_denied_for(:reporter).of(project) } it { expect { dismiss_vulnerability }.to be_denied_for(:guest).of(project) } it { expect { dismiss_vulnerability }.to be_denied_for(:anonymous) } + + context 'with `disable_developer_access_to_admin_vulnerability` disabled' do + before do + stub_feature_flags(disable_developer_access_to_admin_vulnerability: false) + end + + it { expect { dismiss_vulnerability }.to be_allowed_for(:developer).of(project) } + end end end diff --git a/ee/spec/services/vulnerabilities/find_or_create_from_security_finding_service_spec.rb b/ee/spec/services/vulnerabilities/find_or_create_from_security_finding_service_spec.rb index 29503a0fbf487fd7cfe0de4f25b6abb0aa0fc520..9b74e4633f9ecc2b31ba44fbb57c4b902ee8d2c4 100644 --- a/ee/spec/services/vulnerabilities/find_or_create_from_security_finding_service_spec.rb +++ b/ee/spec/services/vulnerabilities/find_or_create_from_security_finding_service_spec.rb @@ -6,7 +6,7 @@ feature_category: :vulnerability_management do before do stub_licensed_features(security_dashboard: true) - project.add_developer(user) + project.add_maintainer(user) end let(:security_finding_uuid) { security_findings.first.uuid } diff --git a/ee/spec/services/vulnerabilities/manually_create_service_spec.rb b/ee/spec/services/vulnerabilities/manually_create_service_spec.rb index dad17155ea7ca33cf9917abb8a8bd3d0fb0e945c..edf4cfe7d32614861f71ebf65224554e8227e34c 100644 --- a/ee/spec/services/vulnerabilities/manually_create_service_spec.rb +++ b/ee/spec/services/vulnerabilities/manually_create_service_spec.rb @@ -16,7 +16,7 @@ context 'with an authorized user with proper permissions' do before do - project.add_developer(user) + project.add_maintainer(user) end context 'with valid parameters' do @@ -87,7 +87,7 @@ end it 'does not exceed query limit' do - expect { subject }.not_to exceed_query_limit(27) + expect { subject }.not_to exceed_query_limit(28) end it 'creates a new Vulnerability' do diff --git a/ee/spec/services/vulnerabilities/resolve_service_spec.rb b/ee/spec/services/vulnerabilities/resolve_service_spec.rb index f0c6392dbb729e3f43e19e13026ab474d94035aa..0e51b2ec8fed2bc0372cdfe9211b06303ffef10f 100644 --- a/ee/spec/services/vulnerabilities/resolve_service_spec.rb +++ b/ee/spec/services/vulnerabilities/resolve_service_spec.rb @@ -23,7 +23,7 @@ context 'when vulnerability state is different from the requested state' do context 'with an authorized user with proper permissions' do before do - project.add_developer(user) + project.add_maintainer(user) end it_behaves_like 'calls vulnerability statistics utility services in order' @@ -87,11 +87,19 @@ it { expect { resolve_vulnerability }.to be_allowed_for(:owner).of(project) } it { expect { resolve_vulnerability }.to be_allowed_for(:maintainer).of(project) } - it { expect { resolve_vulnerability }.to be_allowed_for(:developer).of(project) } + it { expect { resolve_vulnerability }.to be_denied_for(:developer).of(project) } it { expect { resolve_vulnerability }.to be_denied_for(:auditor) } it { expect { resolve_vulnerability }.to be_denied_for(:reporter).of(project) } it { expect { resolve_vulnerability }.to be_denied_for(:guest).of(project) } it { expect { resolve_vulnerability }.to be_denied_for(:anonymous) } + + context 'with `disable_developer_access_to_admin_vulnerability` disabled' do + before do + stub_feature_flags(disable_developer_access_to_admin_vulnerability: false) + end + + it { expect { resolve_vulnerability }.to be_allowed_for(:developer).of(project) } + end end end diff --git a/ee/spec/services/vulnerabilities/revert_to_detected_service_spec.rb b/ee/spec/services/vulnerabilities/revert_to_detected_service_spec.rb index 67df8a6829b39325753518bd1b8578379bd648c6..1789dc2f31b6b5745c04517280c93ae4cf862a0a 100644 --- a/ee/spec/services/vulnerabilities/revert_to_detected_service_spec.rb +++ b/ee/spec/services/vulnerabilities/revert_to_detected_service_spec.rb @@ -51,7 +51,7 @@ context 'with an authorized user with proper permissions' do before do - project.add_developer(user) + project.add_maintainer(user) end context 'when vulnerability state is different from the requested state' do @@ -109,11 +109,19 @@ it { expect { revert_vulnerability_to_detected }.to be_allowed_for(:owner).of(project) } it { expect { revert_vulnerability_to_detected }.to be_allowed_for(:maintainer).of(project) } - it { expect { revert_vulnerability_to_detected }.to be_allowed_for(:developer).of(project) } + it { expect { revert_vulnerability_to_detected }.to be_denied_for(:developer).of(project) } it { expect { revert_vulnerability_to_detected }.to be_denied_for(:auditor) } it { expect { revert_vulnerability_to_detected }.to be_denied_for(:reporter).of(project) } it { expect { revert_vulnerability_to_detected }.to be_denied_for(:guest).of(project) } it { expect { revert_vulnerability_to_detected }.to be_denied_for(:anonymous) } + + context 'with `disable_developer_access_to_admin_vulnerability` disabled' do + before do + stub_feature_flags(disable_developer_access_to_admin_vulnerability: false) + end + + it { expect { revert_vulnerability_to_detected }.to be_allowed_for(:developer).of(project) } + end end end diff --git a/ee/spec/services/vulnerabilities/security_finding/create_issue_service_spec.rb b/ee/spec/services/vulnerabilities/security_finding/create_issue_service_spec.rb index 1e31b06b68b1649b93b2bd02fe2950c8170e7bde..889ec5ab7d717b53fdec16b6fc840ac742d329fb 100644 --- a/ee/spec/services/vulnerabilities/security_finding/create_issue_service_spec.rb +++ b/ee/spec/services/vulnerabilities/security_finding/create_issue_service_spec.rb @@ -6,7 +6,7 @@ feature_category: :vulnerability_management do before do stub_licensed_features(security_dashboard: true) - project.add_developer(user) + project.add_maintainer(user) end let_it_be(:project) { create(:project, :repository) } diff --git a/ee/spec/services/vulnerabilities/security_finding/create_merge_request_service_spec.rb b/ee/spec/services/vulnerabilities/security_finding/create_merge_request_service_spec.rb index 8c38cdb9dcaa967d2ee6b557b0f4407e6c9b96c5..e453358946232ef4aa42924ff593546d2ea05f23 100644 --- a/ee/spec/services/vulnerabilities/security_finding/create_merge_request_service_spec.rb +++ b/ee/spec/services/vulnerabilities/security_finding/create_merge_request_service_spec.rb @@ -36,7 +36,7 @@ before do stub_licensed_features(security_dashboard: true) - group.add_developer(user) + group.add_maintainer(user) end context 'when user does not have permission to read_security_resource' do diff --git a/ee/spec/services/vulnerabilities/starboard_vulnerability_create_service_spec.rb b/ee/spec/services/vulnerabilities/starboard_vulnerability_create_service_spec.rb index 23488dd17e0f1eb5bc9342fb750c159e3abea492..67e436b2100405cc992e3714775f9af2a6cbe679 100644 --- a/ee/spec/services/vulnerabilities/starboard_vulnerability_create_service_spec.rb +++ b/ee/spec/services/vulnerabilities/starboard_vulnerability_create_service_spec.rb @@ -51,7 +51,7 @@ context 'with authorized user' do before do - project.add_developer(user) + project.add_maintainer(user) end context 'with feature enabled' do diff --git a/ee/spec/services/vulnerabilities/starboard_vulnerability_resolve_service_spec.rb b/ee/spec/services/vulnerabilities/starboard_vulnerability_resolve_service_spec.rb index 91ab0ed80efa7aa7f0af7420c0eb2ac4bab7de4b..2fcf7a93d47f2038f004895715106948bf36c06b 100644 --- a/ee/spec/services/vulnerabilities/starboard_vulnerability_resolve_service_spec.rb +++ b/ee/spec/services/vulnerabilities/starboard_vulnerability_resolve_service_spec.rb @@ -30,7 +30,7 @@ describe "#execute" do context 'with authorized user' do before_all do - project.add_developer(user) + project.add_maintainer(user) end context 'with feature enabled' do diff --git a/ee/spec/services/vulnerabilities/update_service_spec.rb b/ee/spec/services/vulnerabilities/update_service_spec.rb index 453783c8d61f2064478e9ee386674bc590b4b114..1350e2ea91ba4674b7d3eeb325e2d6630a6b476f 100644 --- a/ee/spec/services/vulnerabilities/update_service_spec.rb +++ b/ee/spec/services/vulnerabilities/update_service_spec.rb @@ -22,7 +22,7 @@ context 'with an authorized user with proper permissions' do before do - project.add_developer(user) + project.add_maintainer(user) end it_behaves_like 'calls Vulnerabilities::Statistics::UpdateService' diff --git a/ee/spec/services/vulnerability_feedback/create_service_spec.rb b/ee/spec/services/vulnerability_feedback/create_service_spec.rb index c67519a454e2026427e21b71a201d40db741aa45..c58b61c9cdafccbf1aadfcbbea57d902ee656c36 100644 --- a/ee/spec/services/vulnerability_feedback/create_service_spec.rb +++ b/ee/spec/services/vulnerability_feedback/create_service_spec.rb @@ -17,7 +17,7 @@ let(:security_finding) { security_findings.first } before do - group.add_developer(user) + group.add_maintainer(user) stub_licensed_features(security_dashboard: true) end diff --git a/ee/spec/services/vulnerability_feedback/destroy_service_spec.rb b/ee/spec/services/vulnerability_feedback/destroy_service_spec.rb index 69fe76443466d99074cfc117653d001f4ab90d60..5d58ed681d7f8bab857da7a00729303f3d25dd30 100644 --- a/ee/spec/services/vulnerability_feedback/destroy_service_spec.rb +++ b/ee/spec/services/vulnerability_feedback/destroy_service_spec.rb @@ -10,7 +10,7 @@ let(:service_object) { described_class.new(project, user, vulnerability_feedback, revert_vulnerability_state: revert_vulnerability_state) } before do - project.add_developer(user) + project.add_maintainer(user) stub_licensed_features(security_dashboard: true) end diff --git a/ee/spec/support/shared_examples/controllers/projects/security_and_compliance_feature_shared_examples.rb b/ee/spec/support/shared_examples/controllers/projects/security_and_compliance_feature_shared_examples.rb index 0133fc4e3f965a0d21725222a507f19286ecaff3..9019cbfe305fce0e54f145331938ffe41810894d 100644 --- a/ee/spec/support/shared_examples/controllers/projects/security_and_compliance_feature_shared_examples.rb +++ b/ee/spec/support/shared_examples/controllers/projects/security_and_compliance_feature_shared_examples.rb @@ -8,7 +8,7 @@ context 'when user has role that enables sufficient access' do before do - group.add_developer(user) + group.add_maintainer(user) end it { is_expected.to have_gitlab_http_status(:not_found) } @@ -34,7 +34,7 @@ context 'when user has role that enables sufficient access' do before do - group.add_developer(user) + group.add_maintainer(user) end it { is_expected.not_to have_gitlab_http_status(:not_found) } diff --git a/ee/spec/support/shared_examples/services/vulnerabilities/does_not_create_state_transition_for_same_state.rb b/ee/spec/support/shared_examples/services/vulnerabilities/does_not_create_state_transition_for_same_state.rb index 576d8ccaa5b95bfd2e1e3322e536905e3de9112d..771b2d6ce0a53b4ff28826f6a3d8df3e23e9b07a 100644 --- a/ee/spec/support/shared_examples/services/vulnerabilities/does_not_create_state_transition_for_same_state.rb +++ b/ee/spec/support/shared_examples/services/vulnerabilities/does_not_create_state_transition_for_same_state.rb @@ -6,7 +6,7 @@ context 'with an authorized user with proper permissions' do before do - project.add_developer(user) + project.add_maintainer(user) end it 'does not create a state transition entry' do