Move security routes under - scope

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

changelogs/unreleased/dz-scope-security-routes.yml

+---
+title: Move security routes under - scope
+merge_request: 24287
+author:
+type: changed

config/routes/project.rb

@@ -468,7 +468,8 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
                                             :forks, :group_links, :import, :avatar, :mirror,
                                             :cycle_analytics, :mattermost, :variables, :triggers,
                                             :environments, :protected_environments, :error_tracking,
-                                            :serverless, :clusters, :audit_events, :wikis, :merge_requests)
+                                            :serverless, :clusters, :audit_events, :wikis, :merge_requests,
+                                            :vulnerability_feedback, :security, :dependencies)
     end
 
     # rubocop: disable Cop/PutProjectRoutesUnderScope

ee/config/routes/project.rb

@@ -56,8 +56,6 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
 
         resources :subscriptions, only: [:create, :destroy]
 
-        resources :licenses, only: [:index, :create, :update]
-
         resource :threat_monitoring, only: [:show], controller: :threat_monitoring
 
         resources :logs, only: [:index] do
@@ -79,6 +77,16 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
           resources :waf_anomalies, only: [] do
             get :summary, on: :collection
           end
+
+          resources :dashboard, only: [:show, :index], controller: :dashboard
+          resource :configuration, only: [:show], controller: :configuration
+          resource :discover, only: [:show], controller: :discover
+
+          resources :vulnerability_findings, only: [:index] do
+            collection do
+              get :summary
+            end
+          end
         end
 
         namespace :analytics do
@@ -88,6 +96,9 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
         resources :approvers, only: :destroy
         resources :approver_groups, only: :destroy
         resources :push_rules, constraints: { id: /\d+/ }, only: [:update]
+        resources :vulnerability_feedback, only: [:index, :create, :update, :destroy], constraints: { id: /\d+/ }
+        resources :dependencies, only: [:index]
+        resources :licenses, only: [:index, :create, :update]
       end
       # End of the /-/ scope.
 
@@ -146,22 +157,6 @@ constraints(::Constraints::ProjectUrlConstrainer.new) do
           post :query
         end
       end
-
-      namespace :security do
-        resources :dashboard, only: [:show, :index], controller: :dashboard
-        resource :configuration, only: [:show], controller: :configuration
-        resource :discover, only: [:show], controller: :discover
-
-        resources :vulnerability_findings, only: [:index] do
-          collection do
-            get :summary
-          end
-        end
-      end
-
-      resources :vulnerability_feedback, only: [:index, :create, :update, :destroy], constraints: { id: /\d+/ }
-
-      resources :dependencies, only: [:index]
       # All new routes should go under /-/ scope.
       # Look for scope '-' at the top of the file.
       # rubocop: enable Cop/PutProjectRoutesUnderScope

ee/spec/presenters/merge_request_presenter_spec.rb

@@ -105,7 +105,7 @@ describe MergeRequestPresenter do
     with_them do
       subject { described_class.new(merge_request, current_user: user).public_send(create_feedback_path, merge_request.project) }
 
-      it { is_expected.to eq("/#{merge_request.project.full_path}/vulnerability_feedback") }
+      it { is_expected.to eq("/#{merge_request.project.full_path}/-/vulnerability_feedback") }
 
       context 'when not allowed to create vulnerability feedback' do
         let(:unauthorized_user) { create(:user) }

ee/spec/routing/project_routing_spec.rb

@@ -12,15 +12,19 @@ describe 'EE-specific project routing' do
   # project_vulnerability_feedback  DELETE /:project_id/vulnerability_feedback/:id(.:format) projects/vulnerability_feedback#destroy
   describe Projects::VulnerabilityFeedbackController, 'routing', type: :routing do
     it "to #index" do
-      expect(get("/gitlab/gitlabhq/vulnerability_feedback")).to route_to('projects/vulnerability_feedback#index', namespace_id: 'gitlab', project_id: 'gitlabhq')
+      expect(get("/gitlab/gitlabhq/-/vulnerability_feedback")).to route_to('projects/vulnerability_feedback#index', namespace_id: 'gitlab', project_id: 'gitlabhq')
     end
 
     it "to #create" do
-      expect(post("/gitlab/gitlabhq/vulnerability_feedback")).to route_to('projects/vulnerability_feedback#create', namespace_id: 'gitlab', project_id: 'gitlabhq')
+      expect(post("/gitlab/gitlabhq/-/vulnerability_feedback")).to route_to('projects/vulnerability_feedback#create', namespace_id: 'gitlab', project_id: 'gitlabhq')
     end
 
     it "to #destroy" do
-      expect(delete("/gitlab/gitlabhq/vulnerability_feedback/1")).to route_to('projects/vulnerability_feedback#destroy', namespace_id: 'gitlab', project_id: 'gitlabhq', id: '1')
+      expect(delete("/gitlab/gitlabhq/-/vulnerability_feedback/1")).to route_to('projects/vulnerability_feedback#destroy', namespace_id: 'gitlab', project_id: 'gitlabhq', id: '1')
+    end
+
+    describe 'legacy routing' do
+      it_behaves_like 'redirecting a legacy project path', "/gitlab/gitlabhq/vulnerability_feedback", "/gitlab/gitlabhq/-/vulnerability_feedback"
     end
   end
 

ee/spec/serializers/merge_request_widget_entity_spec.rb

@@ -208,7 +208,7 @@ describe MergeRequestWidgetEntity do
 
   it 'has vulnerability feedback paths' do
     expect(subject.as_json[:vulnerability_feedback_path]).to eq(
-      "/#{merge_request.project.full_path}/vulnerability_feedback"
+      "/#{merge_request.project.full_path}/-/vulnerability_feedback"
     )
     expect(subject.as_json).to include(:create_vulnerability_feedback_issue_path)
     expect(subject.as_json).to include(:create_vulnerability_feedback_merge_request_path)