Merge branch '10242-unify-vulnerabilities-admin-permissions' into 'master'

Unify permissions to manage Vulnerabilities under admin_vulnerability

See merge request gitlab-org/gitlab!20635

ee/app/policies/ee/project_policy.rb

@@ -10,6 +10,7 @@ module EE
       issue_link
       approvers
       vulnerability_feedback
+      vulnerability
       license_management
       feature_flag
       feature_flags_client
@@ -160,8 +161,7 @@ module EE
       rule { can?(:read_project_security_dashboard) & can?(:developer_access) }.policy do
         enable :read_vulnerability
         enable :create_vulnerability
-        enable :resolve_vulnerability
-        enable :dismiss_vulnerability
+        enable :admin_vulnerability
       end
 
       rule { can?(:read_project) & (can?(:read_merge_request) | can?(:read_build)) }.enable :read_vulnerability_feedback

ee/app/services/vulnerabilities/dismiss_service.rb

@@ -13,7 +13,7 @@ module Vulnerabilities
     end
 
     def execute
-      raise Gitlab::Access::AccessDeniedError unless can?(@user, :dismiss_vulnerability, @project)
+      raise Gitlab::Access::AccessDeniedError unless can?(@user, :admin_vulnerability, @project)
 
       @vulnerability.transaction do
         result = dismiss_findings

ee/app/services/vulnerabilities/resolve_service.rb

@@ -10,7 +10,7 @@ module Vulnerabilities
     end
 
     def execute
-      raise Gitlab::Access::AccessDeniedError unless can?(@user, :resolve_vulnerability, @vulnerability.project)
+      raise Gitlab::Access::AccessDeniedError unless can?(@user, :admin_vulnerability, @vulnerability.project)
 
       @vulnerability.tap do |vulnerability|
         vulnerability.update(state: :resolved, resolved_by: @user, resolved_at: Time.current)

ee/lib/api/vulnerabilities.rb

@@ -46,7 +46,7 @@ module API
         success EE::API::Entities::Vulnerability
       end
       post ':id/resolve' do
-        vulnerability = find_and_authorize_vulnerability!(:resolve_vulnerability)
+        vulnerability = find_and_authorize_vulnerability!(:admin_vulnerability)
         break not_modified! if vulnerability.resolved?
 
         vulnerability = ::Vulnerabilities::ResolveService.new(current_user, vulnerability).execute
@@ -57,7 +57,7 @@ module API
         success EE::API::Entities::Vulnerability
       end
       post ':id/dismiss' do
-        vulnerability = find_and_authorize_vulnerability!(:dismiss_vulnerability)
+        vulnerability = find_and_authorize_vulnerability!(:admin_vulnerability)
         break not_modified! if vulnerability.closed?
 
         vulnerability = ::Vulnerabilities::DismissService.new(current_user, vulnerability).execute

ee/spec/policies/project_policy_spec.rb

@@ -33,7 +33,7 @@ describe ProjectPolicy do
     let(:additional_developer_permissions) do
       %i[
         admin_vulnerability_feedback read_project_security_dashboard read_feature_flag
-        read_vulnerability create_vulnerability resolve_vulnerability dismiss_vulnerability
+        read_vulnerability create_vulnerability admin_vulnerability
       ]
     end
     let(:additional_maintainer_permissions) { %i[push_code_to_protected_branches admin_feature_flags_client] }
@@ -495,8 +495,7 @@ describe ProjectPolicy do
         include_context 'when security dashboard feature is not available'
 
         it { is_expected.to be_disallowed(:create_vulnerability) }
-        it { is_expected.to be_disallowed(:resolve_vulnerability) }
-        it { is_expected.to be_disallowed(:dismiss_vulnerability) }
+        it { is_expected.to be_disallowed(:admin_vulnerability) }
       end
     end
   end