Commit 0afc1625 authored by harsimarsandhu's avatar harsimarsandhu

Ensures audit events are visible to auditor

Changelog: fixed
EE: true
parent 136f200c
...@@ -43,6 +43,8 @@ class Projects::AuditEventsController < Projects::ApplicationController ...@@ -43,6 +43,8 @@ class Projects::AuditEventsController < Projects::ApplicationController
end end
def filter_by_author(params) def filter_by_author(params)
can?(current_user, :admin_project, project) ? params : params.merge(author_id: current_user.id) return params if can?(current_user, :admin_project, project) || current_user.auditor?
params.merge(author_id: current_user.id)
end end
end end
...@@ -276,6 +276,7 @@ module EE ...@@ -276,6 +276,7 @@ module EE
enable :read_environment enable :read_environment
enable :read_deployment enable :read_deployment
enable :read_pages enable :read_pages
enable :read_project_audit_events
end end
rule { ~security_and_compliance_disabled & auditor }.policy do rule { ~security_and_compliance_disabled & auditor }.policy do
......
...@@ -7,6 +7,7 @@ RSpec.describe Projects::AuditEventsController do ...@@ -7,6 +7,7 @@ RSpec.describe Projects::AuditEventsController do
let_it_be(:user) { create(:user) } let_it_be(:user) { create(:user) }
let_it_be(:maintainer) { create(:user) } let_it_be(:maintainer) { create(:user) }
let_it_be(:auditor) { create(:user, auditor: true) }
let_it_be(:project) { create(:project, :private) } let_it_be(:project) { create(:project, :private) }
let_it_be(:events) { create_list(:project_audit_event, 5, entity_id: project.id) } let_it_be(:events) { create_list(:project_audit_event, 5, entity_id: project.id) }
...@@ -19,13 +20,7 @@ RSpec.describe Projects::AuditEventsController do ...@@ -19,13 +20,7 @@ RSpec.describe Projects::AuditEventsController do
get :index, params: { project_id: project.to_param, namespace_id: project.namespace.to_param, sort: sort, entity_type: entity_type, entity_id: entity_id } get :index, params: { project_id: project.to_param, namespace_id: project.namespace.to_param, sort: sort, entity_type: entity_type, entity_id: entity_id }
end end
context 'authorized' do shared_context 'when audit_events feature is available' do
before do
project.add_maintainer(maintainer)
sign_in(maintainer)
end
context 'when audit_events feature is available' do
let(:level) { Gitlab::Audit::Levels::Project.new(project: project) } let(:level) { Gitlab::Audit::Levels::Project.new(project: project) }
let(:audit_logs_params) { ActionController::Parameters.new(sort: '', entity_type: '', entity_id: '', created_after: Date.current.beginning_of_month, created_before: Date.current.end_of_day).permit! } let(:audit_logs_params) { ActionController::Parameters.new(sort: '', entity_type: '', entity_id: '', created_after: Date.current.beginning_of_month, created_before: Date.current.end_of_day).permit! }
...@@ -133,7 +128,7 @@ RSpec.describe Projects::AuditEventsController do ...@@ -133,7 +128,7 @@ RSpec.describe Projects::AuditEventsController do
end end
end end
context 'pagination' do shared_examples 'pagination' do
it 'sets instance variables' do it 'sets instance variables' do
request request
...@@ -150,7 +145,7 @@ RSpec.describe Projects::AuditEventsController do ...@@ -150,7 +145,7 @@ RSpec.describe Projects::AuditEventsController do
end end
end end
context 'when audit_events feature is not available' do shared_context 'when audit_events feature is not available' do
before do before do
stub_licensed_features(audit_events: false) stub_licensed_features(audit_events: false)
end end
...@@ -162,6 +157,42 @@ RSpec.describe Projects::AuditEventsController do ...@@ -162,6 +157,42 @@ RSpec.describe Projects::AuditEventsController do
end end
end end
context 'when authorized as auditor' do
before do
sign_in(auditor)
end
it_behaves_like 'when audit_events feature is available'
it_behaves_like 'pagination'
it_behaves_like 'when audit_events feature is not available'
it 'tracks search event', :snowplow do
request
expect_snowplow_event(
category: 'Projects::AuditEventsController',
action: 'search_audit_event',
project: project,
user: auditor,
namespace: project.namespace
)
end
end
context 'when authorized as maintainer' do
before do
project.add_maintainer(maintainer)
sign_in(maintainer)
end
it_behaves_like 'when audit_events feature is available'
it_behaves_like 'pagination'
it_behaves_like 'when audit_events feature is not available'
it 'tracks search event', :snowplow do it 'tracks search event', :snowplow do
request request
......
...@@ -47,6 +47,7 @@ RSpec.describe ProjectPolicy do ...@@ -47,6 +47,7 @@ RSpec.describe ProjectPolicy do
read_software_license_policy read_software_license_policy
read_threat_monitoring read_merge_train read_threat_monitoring read_merge_train
read_release read_release
read_project_audit_events
] ]
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment