From aaff4cd9d2def810da046f8c5a69dc294e77c1b9 Mon Sep 17 00:00:00 2001 From: Rachael Wright-Munn Date: Thu, 23 May 2024 17:45:10 +0000 Subject: [PATCH 1/2] Create new custom Permission: read_crm_contact This new permission allows enterprise admins to create new roles that have access to view all crm contacts which would let users with minimal or guest access on the group add contacts to issues they have permission to manage. Changelog: added EE: true --- .../json_schemas/member_role_permissions.json | 3 ++ doc/api/graphql/reference/index.md | 1 + doc/user/custom_roles/abilities.md | 6 ++++ ee/app/policies/ee/group_policy.rb | 2 ++ .../custom_abilities/read_crm_contact.yml | 11 ++++++ ee/spec/factories/member_roles.rb | 1 + .../read_crm_contact/request_spec.rb | 36 +++++++++++++++++++ 7 files changed, 60 insertions(+) create mode 100644 ee/config/custom_abilities/read_crm_contact.yml create mode 100644 ee/spec/requests/custom_roles/read_crm_contact/request_spec.rb diff --git a/app/validators/json_schemas/member_role_permissions.json b/app/validators/json_schemas/member_role_permissions.json index 191cbdb8b39622..2de40466859f8b 100644 --- a/app/validators/json_schemas/member_role_permissions.json +++ b/app/validators/json_schemas/member_role_permissions.json @@ -49,6 +49,9 @@ "read_code": { "type": "boolean" }, + "read_crm_contact": { + "type": "boolean" + }, "read_dependency": { "type": "boolean" }, diff --git a/doc/api/graphql/reference/index.md b/doc/api/graphql/reference/index.md index 86d663974774e3..898423edfece5b 100644 --- a/doc/api/graphql/reference/index.md +++ b/doc/api/graphql/reference/index.md @@ -34167,6 +34167,7 @@ Member role permission. | `MANAGE_PROJECT_ACCESS_TOKENS` | Create, read, update, and delete project access tokens. When creating a token, users with this custom permission must select a role for that token that has the same or fewer permissions as the default role used as the base for the custom role. | | `MANAGE_SECURITY_POLICY_LINK` | Allows linking security policy projects. | | `READ_CODE` | Allows read-only access to the source code in the user interface. Does not allow users to edit or download repository archives, clone or pull repositories, view source code in an IDE, or view merge requests for private projects. You can download individual files because read-only access inherently grants the ability to make a local copy of the file. | +| `READ_CRM_CONTACT` | Read CRM contact. | | `READ_DEPENDENCY` | Allows read-only access to the dependencies and licenses. | | `READ_VULNERABILITY` | Read vulnerability reports and security dashboards. | | `REMOVE_GROUP` | Ability to delete or restore a group. This ability does not allow deleting top level groups. Review the Retention period settings to prevent accidental deletion. | diff --git a/doc/user/custom_roles/abilities.md b/doc/user/custom_roles/abilities.md index 7e9544587a9c7d..6ee8524551e761 100644 --- a/doc/user/custom_roles/abilities.md +++ b/doc/user/custom_roles/abilities.md @@ -83,6 +83,12 @@ These requirements are documented in the `Required permission` column in the fol | [`manage_group_access_tokens`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/140115) | | Create, read, update, and delete group access tokens. When creating a token, users with this custom permission must select a role for that token that has the same or fewer permissions as the default role used as the base for the custom role. | GitLab [16.8](https://gitlab.com/gitlab-org/gitlab/-/issues/428353) | | | | [`manage_project_access_tokens`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/132342) | | Create, read, update, and delete project access tokens. When creating a token, users with this custom permission must select a role for that token that has the same or fewer permissions as the default role used as the base for the custom role. | GitLab [16.5](https://gitlab.com/gitlab-org/gitlab/-/issues/421778) | `manage_project_access_tokens` | GitLab [16.8](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/141294) | +## Team planning + +| Name | Required permission | Description | Introduced in | Feature flag | Enabled in | +|:-----|:------------|:------------------|:---------|:--------------|:---------| +| [`read_crm_contact`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/154017) | | Read CRM contact. | GitLab [17.1](https://gitlab.com/gitlab-org/gitlab/-/issues/443268) | | | + ## Vulnerability management | Name | Required permission | Description | Introduced in | Feature flag | Enabled in | diff --git a/ee/app/policies/ee/group_policy.rb b/ee/app/policies/ee/group_policy.rb index 699b7ab00312bc..e1af83070f8126 100644 --- a/ee/app/policies/ee/group_policy.rb +++ b/ee/app/policies/ee/group_policy.rb @@ -507,6 +507,8 @@ module GroupPolicy enable :read_billable_member end + rule { custom_role_enables_read_crm_contact }.enable(:read_crm_contact) + rule { custom_role_enables_admin_group_member & service_accounts_available }.policy do enable :admin_service_account_member end diff --git a/ee/config/custom_abilities/read_crm_contact.yml b/ee/config/custom_abilities/read_crm_contact.yml new file mode 100644 index 00000000000000..8a0787b7eaf7e7 --- /dev/null +++ b/ee/config/custom_abilities/read_crm_contact.yml @@ -0,0 +1,11 @@ +--- +name: read_crm_contact +description: Read CRM contact. +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/443268 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/154017 +feature_category: team_planning +milestone: '17.1' +group_ability: true +project_ability: false +requirements: [] +available_from_access_level: 20 diff --git a/ee/spec/factories/member_roles.rb b/ee/spec/factories/member_roles.rb index b1b13b162b6764..4101dc2a854268 100644 --- a/ee/spec/factories/member_roles.rb +++ b/ee/spec/factories/member_roles.rb @@ -25,6 +25,7 @@ :manage_merge_request_settings, :manage_project_access_tokens, :read_code, + :read_crm_contact, :read_dependency, :read_vulnerability, :remove_group diff --git a/ee/spec/requests/custom_roles/read_crm_contact/request_spec.rb b/ee/spec/requests/custom_roles/read_crm_contact/request_spec.rb new file mode 100644 index 00000000000000..b38b01cfe5b119 --- /dev/null +++ b/ee/spec/requests/custom_roles/read_crm_contact/request_spec.rb @@ -0,0 +1,36 @@ +# frozen_string_literal: true + +require 'spec_helper' + +RSpec.describe 'User with read_crm_contact custom role', feature_category: :team_planning do + let_it_be(:user) { create(:user) } + let_it_be(:group) { create(:group) } + let_it_be(:role) { create(:member_role, :guest, :read_crm_contact, namespace: group) } + let_it_be(:membership) { create(:group_member, :guest, member_role: role, user: user, group: group) } + + before do + stub_licensed_features(custom_roles: true) + + sign_in(user) + end + + describe Groups::Crm::ContactsController do + describe '#index' do + it 'allows access' do + get group_crm_contacts_path(group) + + expect(response).to have_gitlab_http_status(:ok) + end + + context 'when crm is disabled' do + let_it_be(:group) { create(:group, :crm_disabled) } + + it 'does not circumvent disabled feature' do + get group_crm_contacts_path(group) + + expect(response).to have_gitlab_http_status(:not_found) + end + end + end + end +end -- GitLab From 025edeac55d64b858b33f2d2ee36adcc7a29d4fd Mon Sep 17 00:00:00 2001 From: Rachael Wright-Munn Date: Thu, 6 Jun 2024 16:23:44 +0000 Subject: [PATCH 2/2] Add test to GroupPolicy. --- ee/spec/policies/group_policy_spec.rb | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ee/spec/policies/group_policy_spec.rb b/ee/spec/policies/group_policy_spec.rb index e35e04778a3f8d..d8c1cf54348310 100644 --- a/ee/spec/policies/group_policy_spec.rb +++ b/ee/spec/policies/group_policy_spec.rb @@ -3695,6 +3695,13 @@ def create_member_role(member, abilities = member_role_abilities) it_behaves_like 'custom roles abilities' end + + context 'for a member role with read_crm_contact true' do + let(:member_role_abilities) { { read_crm_contact: true } } + let(:allowed_abilities) { [:read_crm_contact] } + + it_behaves_like 'custom roles abilities' + end end context 'for :read_limit_alert' do -- GitLab