Commit bd7700b2 authored by Imre Farkas's avatar Imre Farkas

Merge branch '13247-licenses-permissions' into 'master'

Update permissions for Licenses and Licenses Controllers

See merge request gitlab-org/gitlab!21139
parents d4a913dc 44395fa1
......@@ -2,6 +2,10 @@
module Projects
class LicensesController < Projects::ApplicationController
before_action :authorize_read_licenses_list!
before_action :authorize_read_licenses!
before_action do
push_frontend_feature_flag(:licenses_list)
end
end
end
......@@ -3,7 +3,7 @@
module Projects
module Security
class LicensesController < Projects::ApplicationController
before_action :authorize_read_licenses_list!
before_action :authorize_read_licenses!, only: [:index]
before_action :authorize_admin_software_license_policy!, only: [:create, :update]
def index
......
......@@ -45,7 +45,7 @@ module EE
nav_tabs << :dependencies
end
if can?(current_user, :read_licenses_list, project)
if ::Feature.enabled?(:licenses_list, project) && can?(current_user, :read_licenses, project)
nav_tabs << :licenses
end
......
......@@ -112,7 +112,6 @@ class License < ApplicationRecord
group_ip_restriction
incident_management
insights
licenses_list
license_management
personal_access_token_expiration_policy
pod_logs
......
......@@ -80,11 +80,6 @@ module EE
@subject.feature_available?(:dependency_scanning)
end
with_scope :subject
condition(:licenses_list_enabled) do
@subject.beta_feature_available?(:licenses_list)
end
with_scope :subject
condition(:feature_flags_disabled) do
!@subject.feature_available?(:feature_flags)
......@@ -175,11 +170,11 @@ module EE
rule { can?(:read_project) & (can?(:read_merge_request) | can?(:read_build)) }.enable :read_vulnerability_feedback
rule { license_management_enabled & can?(:read_project) }.enable :read_software_license_policy
rule { dependency_scanning_enabled & can?(:download_code) }.enable :read_dependencies
rule { licenses_list_enabled & can?(:read_software_license_policy) }.enable :read_licenses_list
rule { license_management_enabled & can?(:download_code) }.enable :read_licenses
rule { can?(:read_licenses) }.enable :read_software_license_policy
rule { repository_mirrors_enabled & ((mirror_available & can?(:admin_project)) | admin) }.enable :admin_mirror
......
......@@ -27,6 +27,6 @@ class DependencyEntity < Grape::Entity
end
def can_read_licenses?
can?(request.user, :read_software_license_policy, request.project)
can?(request.user, :read_licenses, request.project)
end
end
......@@ -17,7 +17,7 @@ describe Projects::LicensesController do
context 'when feature is available' do
before do
stub_licensed_features(licenses_list: true, license_management: true)
stub_licensed_features(license_management: true)
end
it 'renders the show template' do
......@@ -44,7 +44,7 @@ describe Projects::LicensesController do
context 'when feature is available' do
before do
stub_licensed_features(licenses_list: true, license_management: true)
stub_licensed_features(license_management: true)
end
it 'returns 404' do
......
......@@ -15,12 +15,12 @@ describe Projects::Security::LicensesController do
context 'with authorized user' do
before do
project.add_guest(user)
project.add_reporter(user)
end
context 'when feature is available' do
before do
stub_licensed_features(licenses_list: true, license_management: true)
stub_licensed_features(license_management: true)
end
it 'counts usage of the feature' do
......@@ -139,7 +139,7 @@ describe Projects::Security::LicensesController do
context 'with unauthorized user' do
before do
stub_licensed_features(licenses_list: true, license_management: true)
stub_licensed_features(license_management: true)
get_licenses
end
......@@ -168,7 +168,7 @@ describe Projects::Security::LicensesController do
let(:current_user) { create(:user) }
before do
stub_licensed_features(licenses_list: true, license_management: true)
stub_licensed_features(license_management: true)
sign_in(current_user)
end
......@@ -286,7 +286,7 @@ describe Projects::Security::LicensesController do
let(:current_user) { create(:user) }
before do
stub_licensed_features(licenses_list: true, license_management: true)
stub_licensed_features(license_management: true)
sign_in(current_user)
end
......
......@@ -8,7 +8,7 @@ RSpec.describe SCA::LicenseCompliance do
let(:project) { create(:project, :repository, :private) }
before do
stub_licensed_features(licenses_list: true, license_management: true)
stub_licensed_features(license_management: true)
end
describe "#policies" do
......
......@@ -27,9 +27,11 @@ describe ProjectPolicy do
include_context 'ProjectPolicy context'
let(:additional_guest_permissions) do
%i[read_issue_link read_software_license_policy]
%i[read_issue_link]
end
let(:additional_reporter_permissions) do
%i[read_software_license_policy admin_issue_link]
end
let(:additional_reporter_permissions) { [:admin_issue_link] }
let(:additional_developer_permissions) do
%i[
admin_vulnerability_feedback read_project_security_dashboard read_feature_flag
......@@ -717,7 +719,7 @@ describe ProjectPolicy do
end
end
describe 'read_license_management' do
describe 'read_software_license_policy' do
context 'without license management feature available' do
before do
stub_licensed_features(license_management: false)
......@@ -811,78 +813,55 @@ describe ProjectPolicy do
end
end
describe 'read_licenses_list' do
context 'when licenses list feature available' do
describe 'read_licenses' do
context 'when license management feature available' do
before do
stub_feature_flags(licenses_list: true)
stub_licensed_features(license_management: true)
end
context 'with public project' do
let(:current_user) { create(:user) }
context 'with public access to repository' do
it { is_expected.to be_allowed(:read_licenses_list) }
it { is_expected.to be_allowed(:read_licenses) }
end
end
context 'with private project' do
let(:project) { create(:project, :private, namespace: owner.namespace) }
where(role: %w[admin owner maintainer developer reporter guest])
where(role: %w[admin owner maintainer developer reporter])
with_them do
let(:current_user) { public_send(role) }
it { is_expected.to be_allowed(:read_licenses_list) }
it { is_expected.to be_allowed(:read_licenses) }
end
context 'with guest' do
let(:current_user) { guest }
it { is_expected.to be_disallowed(:read_licenses) }
end
context 'with not member' do
let(:current_user) { create(:user) }
it { is_expected.to be_disallowed(:read_licenses_list) }
it { is_expected.to be_disallowed(:read_licenses) }
end
context 'with anonymous' do
let(:current_user) { nil }
it { is_expected.to be_disallowed(:read_licenses_list) }
it { is_expected.to be_disallowed(:read_licenses) }
end
end
end
context "when the licenses_list feature is enabled for a specific project" do
let(:current_user) { create(:user) }
before do
stub_feature_flags(licenses_list: { enabled: true, thing: project })
stub_licensed_features(license_management: true)
end
it { is_expected.to be_allowed(:read_licenses_list) }
end
context 'when license management feature in not available' do
let(:current_user) { admin }
before do
stub_feature_flags(licenses_list: true)
stub_licensed_features(license_management: false)
end
it { is_expected.to be_disallowed(:read_licenses_list) }
end
end
context 'when licenses list feature not available' do
let(:current_user) { admin }
before do
stub_feature_flags(licenses_list: false)
end
it { is_expected.to be_disallowed(:read_licenses_list) }
it { is_expected.to be_disallowed(:read_licenses) }
end
end
......
......@@ -4,7 +4,7 @@ RSpec.shared_examples 'archived project policies' do
let(:feature_write_abilities) do
described_class::READONLY_FEATURES_WHEN_ARCHIVED.flat_map do |feature|
described_class.create_update_admin_destroy(feature)
end + additional_reporter_permissions + additional_maintainer_permissions
end + additional_maintainer_permissions
end
let(:other_write_abilities) do
......@@ -18,6 +18,7 @@ RSpec.shared_examples 'archived project policies' do
resolve_note
award_emoji
admin_tag
admin_issue_link
]
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment