From 4db26ef2ba8854482b933187efacdc581c0dcc76 Mon Sep 17 00:00:00 2001
From: Victor Zagorodny <vzagorodny@gitlab.com>
Date: Fri, 22 Nov 2019 17:42:18 +0200
Subject: [PATCH] Introduce admin_vulnerability ability

Unify resolve_vulnerability and
dismiss_vulnerability abilities under a single
admin_vulnerability because there's no need to
grant these permissions independently right now.
---
 ee/app/policies/ee/project_policy.rb               | 4 ++--
 ee/app/services/vulnerabilities/dismiss_service.rb | 2 +-
 ee/app/services/vulnerabilities/resolve_service.rb | 2 +-
 ee/lib/api/vulnerabilities.rb                      | 4 ++--
 ee/spec/policies/project_policy_spec.rb            | 5 ++---
 5 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/ee/app/policies/ee/project_policy.rb b/ee/app/policies/ee/project_policy.rb
index 3102de952ee..ecdb810c0ea 100644
--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -10,6 +10,7 @@ module EE
       issue_link
       approvers
       vulnerability_feedback
+      vulnerability
       license_management
       feature_flag
       feature_flags_client
@@ -160,8 +161,7 @@ module EE
       rule { can?(:read_project_security_dashboard) & can?(:developer_access) }.policy do
         enable :read_vulnerability
         enable :create_vulnerability
-        enable :resolve_vulnerability
-        enable :dismiss_vulnerability
+        enable :admin_vulnerability
       end
 
       rule { can?(:read_project) & (can?(:read_merge_request) | can?(:read_build)) }.enable :read_vulnerability_feedback
diff --git a/ee/app/services/vulnerabilities/dismiss_service.rb b/ee/app/services/vulnerabilities/dismiss_service.rb
index 0f2ac15987f..7388e4c3ec8 100644
--- a/ee/app/services/vulnerabilities/dismiss_service.rb
+++ b/ee/app/services/vulnerabilities/dismiss_service.rb
@@ -13,7 +13,7 @@ module Vulnerabilities
     end
 
     def execute
-      raise Gitlab::Access::AccessDeniedError unless can?(@user, :dismiss_vulnerability, @project)
+      raise Gitlab::Access::AccessDeniedError unless can?(@user, :admin_vulnerability, @project)
 
       @vulnerability.transaction do
         result = dismiss_findings
diff --git a/ee/app/services/vulnerabilities/resolve_service.rb b/ee/app/services/vulnerabilities/resolve_service.rb
index eaaef9aa75a..327ea1a064f 100644
--- a/ee/app/services/vulnerabilities/resolve_service.rb
+++ b/ee/app/services/vulnerabilities/resolve_service.rb
@@ -10,7 +10,7 @@ module Vulnerabilities
     end
 
     def execute
-      raise Gitlab::Access::AccessDeniedError unless can?(@user, :resolve_vulnerability, @vulnerability.project)
+      raise Gitlab::Access::AccessDeniedError unless can?(@user, :admin_vulnerability, @vulnerability.project)
 
       @vulnerability.tap do |vulnerability|
         vulnerability.update(state: :resolved, resolved_by: @user, resolved_at: Time.current)
diff --git a/ee/lib/api/vulnerabilities.rb b/ee/lib/api/vulnerabilities.rb
index 985d23272bb..5d628d9d6a4 100644
--- a/ee/lib/api/vulnerabilities.rb
+++ b/ee/lib/api/vulnerabilities.rb
@@ -55,7 +55,7 @@ module API
         success EE::API::Entities::Vulnerability
       end
       post ':id/resolve' do
-        vulnerability = find_and_authorize_vulnerability!(:resolve_vulnerability)
+        vulnerability = find_and_authorize_vulnerability!(:admin_vulnerability)
         break not_modified! if vulnerability.resolved?
 
         vulnerability = ::Vulnerabilities::ResolveService.new(current_user, vulnerability).execute
@@ -66,7 +66,7 @@ module API
         success EE::API::Entities::Vulnerability
       end
       post ':id/dismiss' do
-        vulnerability = find_and_authorize_vulnerability!(:dismiss_vulnerability)
+        vulnerability = find_and_authorize_vulnerability!(:admin_vulnerability)
         break not_modified! if vulnerability.closed?
 
         vulnerability = ::Vulnerabilities::DismissService.new(current_user, vulnerability).execute
diff --git a/ee/spec/policies/project_policy_spec.rb b/ee/spec/policies/project_policy_spec.rb
index 74e3cb369b4..dea515d357e 100644
--- a/ee/spec/policies/project_policy_spec.rb
+++ b/ee/spec/policies/project_policy_spec.rb
@@ -33,7 +33,7 @@ describe ProjectPolicy do
     let(:additional_developer_permissions) do
       %i[
         admin_vulnerability_feedback read_project_security_dashboard read_feature_flag
-        read_vulnerability create_vulnerability resolve_vulnerability dismiss_vulnerability
+        read_vulnerability create_vulnerability admin_vulnerability
       ]
     end
     let(:additional_maintainer_permissions) { %i[push_code_to_protected_branches admin_feature_flags_client] }
@@ -495,8 +495,7 @@ describe ProjectPolicy do
         include_context 'when security dashboard feature is not available'
 
         it { is_expected.to be_disallowed(:create_vulnerability) }
-        it { is_expected.to be_disallowed(:resolve_vulnerability) }
-        it { is_expected.to be_disallowed(:dismiss_vulnerability) }
+        it { is_expected.to be_disallowed(:admin_vulnerability) }
       end
     end
   end
-- 
2.30.9