Merge branch 'security-vulnerability-feedback-visible-in-background' into 'master'

Resolve "Vulnerability feedback information visible in public projects" See merge request gitlab/gitlab-ee!1017

Merge branch 'security-vulnerability-feedback-visible-in-background' into 'master'
Resolve "Vulnerability feedback information visible in public projects" See merge request gitlab/gitlab-ee!1017
4a5f0ed3 · GitLab Release Tools Bot · 5f4ffa8c · b8fa8b82 · 4a5f0ed3 · 4a5f0ed3
Commit 4a5f0ed3 authored Jul 26, 2019 by GitLab Release Tools Bot
3 changed files
--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -149,7 +149,7 @@ module EE
        prevent :read_project_security_dashboard
      end

-      rule { can?(:read_project) }.enable :read_vulnerability_feedback
+      rule { can?(:read_project) & (can?(:read_merge_request) | can?(:read_build)) }.enable :read_vulnerability_feedback

      rule { license_management_enabled & can?(:read_project) }.enable :read_software_license_policy


--- a/ee/changelogs/unreleased/security-vulnerability-feedback-visible-in-background.yml
+++ b/ee/changelogs/unreleased/security-vulnerability-feedback-visible-in-background.yml
+---
+title: Make vulnerability feedback invisible if limited access to repo
+merge_request:
+author:
+type: security
--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -25,7 +25,7 @@ describe ProjectPolicy do
    include_context 'ProjectPolicy context'

    let(:additional_guest_permissions) do
-      %i[read_issue_link read_vulnerability_feedback read_software_license_policy]
+      %i[read_issue_link read_software_license_policy]
    end
    let(:additional_reporter_permissions) { [:admin_issue_link] }
    let(:additional_developer_permissions) { %i[admin_vulnerability_feedback read_project_security_dashboard read_feature_flag] }
@@ -361,6 +361,36 @@ describe ProjectPolicy do
        it { is_expected.to be_disallowed(:read_vulnerability_feedback) }
      end
    end
+
+    context 'with public project' do
+      let(:current_user) { create(:user) }
+
+      context 'with limited access to both builds and merge requests' do
+        context 'when builds enabled for project members' do
+          let(:project) { create(:project, :public, :merge_requests_private, :builds_private) }
+
+          it { is_expected.not_to be_allowed(:read_vulnerability_feedback) }
+        end
+
+        context 'when public builds disabled' do
+          let(:project) { create(:project, :public, :merge_requests_private, public_builds: false) }
+
+          it { is_expected.not_to be_allowed(:read_vulnerability_feedback) }
+        end
+      end
+
+      context 'with limited access to merge requests' do
+        let(:project) { create(:project, :public, :merge_requests_private) }
+
+        it { is_expected.to be_allowed(:read_vulnerability_feedback) }
+      end
+
+      context 'with public access to repository' do
+        let(:project) { create(:project, :public) }
+
+        it { is_expected.to be_allowed(:read_vulnerability_feedback) }
+      end
+    end
  end

  describe 'vulnerability feedback permissions' do