Revert "Merge branch '34422-get-single-vulnerability-api' into 'master'"

This reverts merge request !19079

ee/lib/api/vulnerabilities.rb

@@ -13,14 +13,9 @@ module API
         Vulnerability.with_findings.find(params[:id])
       end
 
-      def authorize_vulnerability!(vulnerability, action)
-        authorize! action, vulnerability.project
-        vulnerability
-      end
-
       def find_and_authorize_vulnerability!(action)
         find_vulnerability!.tap do |vulnerability|
-          authorize_vulnerability!(vulnerability, action)
+          authorize! action, vulnerability.project
         end
       end
 
@@ -43,15 +38,6 @@ module API
       requires :id, type: String, desc: 'The ID of a vulnerability'
     end
     resource :vulnerabilities do
-      desc 'Get a vulnerability' do
-        success VulnerabilityEntity
-      end
-      get ':id' do
-        vulnerability = Vulnerability.find(params[:id])
-        authorize_vulnerability!(vulnerability, :read_project_security_dashboard)
-        render_vulnerability(vulnerability)
-      end
-
       desc 'Resolve a vulnerability' do
         success EE::API::Entities::Vulnerability
       end

ee/spec/requests/api/vulnerabilities_spec.rb

@@ -9,8 +9,6 @@ describe API::Vulnerabilities do
 
   let_it_be(:project) { create(:project, :with_vulnerabilities) }
   let_it_be(:user) { create(:user) }
-  let_it_be(:vulnerability) { project.vulnerabilities.first }
-  let(:vulnerability_id) { vulnerability.id }
 
   shared_examples 'forbids actions on vulnerability in case of disabled features' do
     context 'when "first-class vulnerabilities" feature is disabled' do
@@ -38,20 +36,10 @@ describe API::Vulnerabilities do
     end
   end
 
-  shared_examples 'responds with "not found" for an unknown vulnerability ID' do
-    let(:vulnerability_id) { 0 }
-
-    it do
-      subject
-
-      expect(response).to have_gitlab_http_status(404)
-    end
-  end
-
   describe 'GET /projects/:id/vulnerabilities' do
     let(:project_vulnerabilities_path) { "/projects/#{project.id}/vulnerabilities" }
 
-    subject(:get_vulnerabilities) { get api(project_vulnerabilities_path, user) }
+    subject { get api(project_vulnerabilities_path, user) }
 
     context 'with an authorized user with proper permissions' do
       before do
@@ -59,7 +47,7 @@ describe API::Vulnerabilities do
       end
 
       it 'returns all vulnerabilities of a project' do
-        get_vulnerabilities
+        subject
 
         expect(response).to have_gitlab_http_status(200)
         expect(response).to include_pagination_headers
@@ -71,7 +59,7 @@ describe API::Vulnerabilities do
         let(:project_vulnerabilities_path) { "#{super()}?page=2&per_page=1" }
 
         it 'paginates the vulnerabilities according to the pagination params' do
-          get_vulnerabilities
+          subject
 
           expect(response).to have_gitlab_http_status(200)
           expect(json_response.map { |v| v['id'] }).to contain_exactly(project.vulnerabilities.second.id)
@@ -82,47 +70,17 @@ describe API::Vulnerabilities do
     end
 
     it_behaves_like 'responds with "not found" when there is no access to the project'
-    it_behaves_like 'prevents working with vulnerabilities in case of insufficient access level'
+    it_behaves_like 'prevents working with vulnerabilities in case of insufficient privileges'
   end
 
-  shared_examples 'prevents working with vulnerabilities for anonymous users' do
-    it do
-      subject
-
-      expect(response).to have_gitlab_http_status(403)
-    end
-  end
-
-  describe 'GET /vulnerabilities/:id' do
-    subject(:get_vulnerability) { get api("/vulnerabilities/#{vulnerability_id}", user) }
-
-    context 'with an authorized user with proper permissions' do
-      before do
-        project.add_developer(user)
-      end
-
-      it 'returns the desired vulnerability' do
-        get_vulnerability
-
-        expect(response).to have_gitlab_http_status(200)
-        expect(response).to match_response_schema('vulnerability', dir: 'ee')
-        expect(json_response['id']).to eq vulnerability_id
-      end
-
-      it_behaves_like 'responds with "not found" for an unknown vulnerability ID'
-      it_behaves_like 'forbids actions on vulnerability in case of disabled features'
-    end
-
-    it_behaves_like 'prevents working with vulnerabilities in case of insufficient access level'
-    it_behaves_like 'prevents working with vulnerabilities for anonymous users'
-  end
-
-  describe 'POST /vulnerabilities/:id/dismiss' do
+  describe "POST /vulnerabilities:id/dismiss" do
     before do
       create_list(:vulnerabilities_occurrence, 2, vulnerability: vulnerability, project: vulnerability.project)
     end
 
-    subject(:dismiss_vulnerability) { post api("/vulnerabilities/#{vulnerability_id}/dismiss", user) }
+    let(:vulnerability) { project.vulnerabilities.first }
+
+    subject { post api("/vulnerabilities/#{vulnerability.id}/dismiss", user) }
 
     context 'with an authorized user with proper permissions' do
       before do
@@ -131,7 +89,7 @@ describe API::Vulnerabilities do
 
       it 'dismisses a vulnerability and its associated findings' do
         Timecop.freeze do
-          dismiss_vulnerability
+          subject
 
           expect(response).to have_gitlab_http_status(201)
           expect(response).to match_response_schema('public_api/v4/vulnerability', dir: 'ee')
@@ -142,8 +100,6 @@ describe API::Vulnerabilities do
         end
       end
 
-      it_behaves_like 'responds with "not found" for an unknown vulnerability ID'
-
       context 'when there is a dismissal error' do
         before do
           Grape::Endpoint.before_each do |endpoint|
@@ -167,7 +123,7 @@ describe API::Vulnerabilities do
         end
 
         it 'responds with error' do
-          dismiss_vulnerability
+          subject
 
           expect(response).to have_gitlab_http_status(400)
           expect(json_response['message']).to eq('base' => ['something went wrong'])
@@ -178,7 +134,7 @@ describe API::Vulnerabilities do
         let(:vulnerability) { create(:vulnerability, :closed, project: project) }
 
         it 'responds with 304 Not Modified' do
-          dismiss_vulnerability
+          subject
 
           expect(response).to have_gitlab_http_status(304)
         end
@@ -187,16 +143,17 @@ describe API::Vulnerabilities do
       it_behaves_like 'forbids actions on vulnerability in case of disabled features'
     end
 
-    it_behaves_like 'prevents working with vulnerabilities in case of insufficient access level'
-    it_behaves_like 'prevents working with vulnerabilities for anonymous users'
+    it_behaves_like 'prevents working with vulnerabilities in case of insufficient privileges'
   end
 
-  describe 'POST /vulnerabilities/:id/resolve' do
+  describe "POST /vulnerabilities:id/resolve" do
     before do
       create_list(:vulnerabilities_finding, 2, vulnerability: vulnerability)
     end
 
-    subject(:resolve_vulnerability) { post api("/vulnerabilities/#{vulnerability_id}/resolve", user) }
+    let(:vulnerability) { project.vulnerabilities.first }
+
+    subject { post api("/vulnerabilities/#{vulnerability.id}/resolve", user) }
 
     context 'with an authorized user with proper permissions' do
       before do
@@ -205,7 +162,7 @@ describe API::Vulnerabilities do
 
       it 'resolves a vulnerability and its associated findings' do
         Timecop.freeze do
-          resolve_vulnerability
+          subject
 
           expect(response).to have_gitlab_http_status(201)
           expect(response).to match_response_schema('public_api/v4/vulnerability', dir: 'ee')
@@ -216,13 +173,11 @@ describe API::Vulnerabilities do
         end
       end
 
-      it_behaves_like 'responds with "not found" for an unknown vulnerability ID'
-
       context 'when the vulnerability is already resolved' do
         let(:vulnerability) { create(:vulnerability, :closed, project: project) }
 
         it 'responds with 304 Not Modified response' do
-          resolve_vulnerability
+          subject
 
           expect(response).to have_gitlab_http_status(304)
         end
@@ -231,7 +186,6 @@ describe API::Vulnerabilities do
       it_behaves_like 'forbids actions on vulnerability in case of disabled features'
     end
 
-    it_behaves_like 'prevents working with vulnerabilities in case of insufficient access level'
-    it_behaves_like 'prevents working with vulnerabilities for anonymous users'
+    it_behaves_like 'prevents working with vulnerabilities in case of insufficient privileges'
   end
 end

ee/spec/requests/api/vulnerability_findings_spec.rb

@@ -181,7 +181,7 @@ describe API::VulnerabilityFindings do
       subject { get api(project_vulnerability_findings_path, user) }
     end
 
-    it_behaves_like 'prevents working with vulnerabilities in case of insufficient access level' do
+    it_behaves_like 'prevents working with vulnerabilities in case of insufficient privileges' do
       subject { get api(project_vulnerability_findings_path, user) }
     end
   end

ee/spec/support/shared_examples/requests/api/vulnerabilities_shared_examples.rb

 # frozen_string_literal: true
 
-shared_examples 'prevents working with vulnerabilities in case of insufficient access level' do
-  it 'responds 403 Forbidden when accessed by reporter' do
-    project.add_reporter(user)
+shared_examples 'prevents working with vulnerabilities in case of insufficient privileges' do
+  context 'with lesser access level than required' do
+    it 'responds with 403 Forbidden' do
+      project.add_reporter(user)
 
-    subject
-
-    expect(response).to have_gitlab_http_status(403)
-  end
-
-  it 'responds 403 Forbidden when accessed by guest' do
-    project.add_guest(user)
-
-    subject
+      subject
 
-    expect(response).to have_gitlab_http_status(403)
+      expect(response).to have_gitlab_http_status(403)
+    end
   end
 end