Commit 6b70abb8 authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-fix_project_authorizations_for_security_dashboard' into 'master'

Security fix project authorizations for security dashboard

Closes #144

See merge request gitlab-org/security/gitlab!561
parents 345ab151 59740023
...@@ -58,5 +58,10 @@ class InstanceSecurityDashboard ...@@ -58,5 +58,10 @@ class InstanceSecurityDashboard
.where(users_security_dashboard_projects: { user_id: user.id }) .where(users_security_dashboard_projects: { user_id: user.id })
.where(project_authorizations: { user_id: user.id }) .where(project_authorizations: { user_id: user.id })
.where('users_security_dashboard_projects.project_id = project_authorizations.project_id') .where('users_security_dashboard_projects.project_id = project_authorizations.project_id')
.where(access_level: authorized_access_levels)
end
def authorized_access_levels
Gitlab::Access.vulnerability_access_levels.values
end end
end end
---
title: Fix project authorizations for instance security dashboard
merge_request:
author:
type: security
...@@ -10,6 +10,12 @@ module EE ...@@ -10,6 +10,12 @@ module EE
module Access module Access
extend ActiveSupport::Concern extend ActiveSupport::Concern
ADMIN = 60 ADMIN = 60
class_methods do
def vulnerability_access_levels
@vulnerability_access_levels ||= options_with_owner.except('Guest')
end
end
end end
end end
end end
...@@ -5,14 +5,17 @@ require 'spec_helper' ...@@ -5,14 +5,17 @@ require 'spec_helper'
RSpec.describe InstanceSecurityDashboard do RSpec.describe InstanceSecurityDashboard do
let_it_be(:project1) { create(:project) } let_it_be(:project1) { create(:project) }
let_it_be(:project2) { create(:project) } let_it_be(:project2) { create(:project) }
let_it_be(:project3) { create(:project) }
let_it_be(:pipeline1) { create(:ci_pipeline, project: project1) } let_it_be(:pipeline1) { create(:ci_pipeline, project: project1) }
let_it_be(:pipeline2) { create(:ci_pipeline, project: project2) } let_it_be(:pipeline2) { create(:ci_pipeline, project: project2) }
let_it_be(:pipeline3) { create(:ci_pipeline, project: project3) }
let(:project_ids) { [project1.id] } let(:project_ids) { [project1.id] }
let(:user) { create(:user) } let(:user) { create(:user) }
before do before do
project1.add_developer(user) project1.add_developer(user)
user.security_dashboard_projects << [project1, project2] project3.add_guest(user)
user.security_dashboard_projects << [project1, project2, project3]
end end
subject { described_class.new(user, project_ids: project_ids) } subject { described_class.new(user, project_ids: project_ids) }
...@@ -92,7 +95,7 @@ RSpec.describe InstanceSecurityDashboard do ...@@ -92,7 +95,7 @@ RSpec.describe InstanceSecurityDashboard do
let(:user) { create(:auditor) } let(:user) { create(:auditor) }
it "returns all projects on the user's dashboard" do it "returns all projects on the user's dashboard" do
expect(subject.projects).to contain_exactly(project1, project2) expect(subject.projects).to contain_exactly(project1, project2, project3)
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment