Commit 6d128367 authored by syasonik's avatar syasonik

Use correct roles for each alert task

Updates roles for alert management tasks. Developers+
can read and update alerts. Maintainers+ can enable
alert management. Ensures the AlertManagementController
respects these roles.
parent 9955183f
...@@ -3,6 +3,7 @@ ...@@ -3,6 +3,7 @@
class Projects::AlertManagementController < Projects::ApplicationController class Projects::AlertManagementController < Projects::ApplicationController
before_action :ensure_list_feature_enabled, only: :index before_action :ensure_list_feature_enabled, only: :index
before_action :ensure_detail_feature_enabled, only: :details before_action :ensure_detail_feature_enabled, only: :details
before_action :authorize_read_alert_management_alert!
before_action do before_action do
push_frontend_feature_flag(:alert_list_status_filtering_enabled) push_frontend_feature_flag(:alert_list_status_filtering_enabled)
end end
......
...@@ -31,7 +31,7 @@ module AlertManagement ...@@ -31,7 +31,7 @@ module AlertManagement
end end
def authorized? def authorized?
Ability.allowed?(current_user, :read_alert_management_alerts, project) Ability.allowed?(current_user, :read_alert_management_alert, project)
end end
end end
end end
...@@ -18,7 +18,7 @@ module Mutations ...@@ -18,7 +18,7 @@ module Mutations
null: true, null: true,
description: "The alert after mutation" description: "The alert after mutation"
authorize :update_alert_management_alerts authorize :update_alert_management_alert
private private
......
...@@ -6,7 +6,7 @@ module Types ...@@ -6,7 +6,7 @@ module Types
graphql_name 'AlertManagementAlert' graphql_name 'AlertManagementAlert'
description "Describes an alert from the project's Alert Management" description "Describes an alert from the project's Alert Management"
authorize :read_alert_management_alerts authorize :read_alert_management_alert
field :iid, field :iid,
GraphQL::ID_TYPE, GraphQL::ID_TYPE,
......
...@@ -448,7 +448,7 @@ module ProjectsHelper ...@@ -448,7 +448,7 @@ module ProjectsHelper
clusters: :read_cluster, clusters: :read_cluster,
serverless: :read_cluster, serverless: :read_cluster,
error_tracking: :read_sentry_issue, error_tracking: :read_sentry_issue,
alert_management: :read_alert_management, alert_management: :read_alert_management_alert,
labels: :read_label, labels: :read_label,
issues: :read_issue, issues: :read_issue,
project_members: :read_project_member, project_members: :read_project_member,
......
...@@ -236,11 +236,8 @@ class ProjectPolicy < BasePolicy ...@@ -236,11 +236,8 @@ class ProjectPolicy < BasePolicy
enable :read_merge_request enable :read_merge_request
enable :read_sentry_issue enable :read_sentry_issue
enable :update_sentry_issue enable :update_sentry_issue
enable :read_alert_management
enable :read_prometheus enable :read_prometheus
enable :read_metrics_dashboard_annotation enable :read_metrics_dashboard_annotation
enable :read_alert_management_alerts
enable :update_alert_management_alerts
enable :metrics_dashboard enable :metrics_dashboard
end end
...@@ -306,6 +303,8 @@ class ProjectPolicy < BasePolicy ...@@ -306,6 +303,8 @@ class ProjectPolicy < BasePolicy
enable :create_metrics_dashboard_annotation enable :create_metrics_dashboard_annotation
enable :delete_metrics_dashboard_annotation enable :delete_metrics_dashboard_annotation
enable :update_metrics_dashboard_annotation enable :update_metrics_dashboard_annotation
enable :read_alert_management_alert
enable :update_alert_management_alert
enable :create_design enable :create_design
enable :destroy_design enable :destroy_design
end end
......
...@@ -4,7 +4,7 @@ require 'spec_helper' ...@@ -4,7 +4,7 @@ require 'spec_helper'
describe Projects::AlertManagementController do describe Projects::AlertManagementController do
let_it_be(:project) { create(:project) } let_it_be(:project) { create(:project) }
let_it_be(:role) { :reporter } let_it_be(:role) { :developer }
let_it_be(:user) { create(:user) } let_it_be(:user) { create(:user) }
let_it_be(:id) { 1 } let_it_be(:id) { 1 }
...@@ -24,6 +24,16 @@ describe Projects::AlertManagementController do ...@@ -24,6 +24,16 @@ describe Projects::AlertManagementController do
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
end end
context 'when user is unauthorized' do
let(:role) { :reporter }
it 'shows 404' do
get :index, params: { namespace_id: project.namespace, project_id: project }
expect(response).to have_gitlab_http_status(:not_found)
end
end
end end
context 'when alert_management_minimal is disabled' do context 'when alert_management_minimal is disabled' do
...@@ -50,6 +60,16 @@ describe Projects::AlertManagementController do ...@@ -50,6 +60,16 @@ describe Projects::AlertManagementController do
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
end end
context 'when user is unauthorized' do
let(:role) { :reporter }
it 'shows 404' do
get :index, params: { namespace_id: project.namespace, project_id: project }
expect(response).to have_gitlab_http_status(:not_found)
end
end
end end
context 'when alert_management_detail is disabled' do context 'when alert_management_detail is disabled' do
......
...@@ -9,7 +9,7 @@ describe Mutations::AlertManagement::UpdateAlertStatus do ...@@ -9,7 +9,7 @@ describe Mutations::AlertManagement::UpdateAlertStatus do
let(:new_status) { 'acknowledged' } let(:new_status) { 'acknowledged' }
let(:args) { { status: new_status, project_path: project.full_path, iid: alert.iid } } let(:args) { { status: new_status, project_path: project.full_path, iid: alert.iid } }
specify { expect(described_class).to require_graphql_authorizations(:update_alert_management_alerts) } specify { expect(described_class).to require_graphql_authorizations(:update_alert_management_alert) }
describe '#resolve' do describe '#resolve' do
subject(:resolve) { mutation_for(project, current_user).resolve(args) } subject(:resolve) { mutation_for(project, current_user).resolve(args) }
......
...@@ -5,7 +5,7 @@ require 'spec_helper' ...@@ -5,7 +5,7 @@ require 'spec_helper'
describe GitlabSchema.types['AlertManagementAlert'] do describe GitlabSchema.types['AlertManagementAlert'] do
specify { expect(described_class.graphql_name).to eq('AlertManagementAlert') } specify { expect(described_class.graphql_name).to eq('AlertManagementAlert') }
specify { expect(described_class).to require_graphql_authorizations(:read_alert_management_alerts) } specify { expect(described_class).to require_graphql_authorizations(:read_alert_management_alert) }
it 'exposes the expected fields' do it 'exposes the expected fields' do
expected_fields = %i[ expected_fields = %i[
......
...@@ -10,16 +10,16 @@ describe AlertManagement::AlertPolicy, :models do ...@@ -10,16 +10,16 @@ describe AlertManagement::AlertPolicy, :models do
subject(:policy) { described_class.new(user, alert) } subject(:policy) { described_class.new(user, alert) }
describe 'rules' do describe 'rules' do
it { is_expected.to be_disallowed :read_alert_management_alerts } it { is_expected.to be_disallowed :read_alert_management_alert }
it { is_expected.to be_disallowed :update_alert_management_alerts } it { is_expected.to be_disallowed :update_alert_management_alert }
context 'when developer' do context 'when developer' do
before do before do
project.add_developer(user) project.add_developer(user)
end end
it { is_expected.to be_allowed :read_alert_management_alerts } it { is_expected.to be_allowed :read_alert_management_alert }
it { is_expected.to be_allowed :update_alert_management_alerts } it { is_expected.to be_allowed :update_alert_management_alert }
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment