Check access to instance-level vulnerability export APIs

We restrict access to these endpoints if the `security_dashboard`
feature is not available.

ee/app/policies/instance_security_dashboard_policy.rb

 # frozen_string_literal: true
 
 class InstanceSecurityDashboardPolicy < BasePolicy
-  rule { ~anonymous }.policy do
-    enable :read_instance_security_dashboard
-    enable :create_vulnerability_export
+  with_scope :global
+  condition(:security_dashboard_enabled) do
+    License.feature_available?(:security_dashboard)
   end
+
+  rule { ~anonymous }.enable :read_instance_security_dashboard
+  rule { security_dashboard_enabled & can?(:read_instance_security_dashboard) }.enable :create_vulnerability_export
 end

ee/lib/api/vulnerability_exports.rb

@@ -53,6 +53,11 @@ module API
         end
       end
 
+      namespace do
+        before do
+          not_found! unless Feature.enabled?(:first_class_vulnerabilities)
+        end
+
         params do
           optional :export_format, type: String, desc: 'The format of export to be generated',
                    default: ::Vulnerabilities::Export.formats.each_key.first,
@@ -66,6 +71,7 @@ module API
 
           process_create_request_for(current_user.security_dashboard)
         end
+      end
 
       desc 'Get single project vulnerability export' do
         success EE::API::Entities::VulnerabilityExport

ee/spec/requests/api/vulnerability_exports_spec.rb

@@ -118,6 +118,8 @@ describe API::VulnerabilityExports do
         end
       end
     end
+
+    it_behaves_like 'forbids access to vulnerability API endpoint in case of disabled features'
   end
 
   describe 'GET /security/vulnerability_exports/:id' do