diff --git a/ee/app/controllers/groups/security/vulnerabilities_controller.rb b/ee/app/controllers/groups/security/vulnerabilities_controller.rb
index 04dd1e2cf80bfba1356527851f93c9ace077f4d6..1253e27f91b8f788ab9869ae3003af6165998961 100644
--- a/ee/app/controllers/groups/security/vulnerabilities_controller.rb
+++ b/ee/app/controllers/groups/security/vulnerabilities_controller.rb
@@ -14,6 +14,8 @@ class VulnerabilitiesController < Groups::ApplicationController
before_action do
push_frontend_feature_flag(:vulnerability_report_owasp_2021, @group)
push_frontend_feature_flag(:owasp_top_10_null_filtering, @group)
+
+ push_frontend_ability(ability: :resolve_vulnerability_with_ai, resource: @group, user: current_user)
end
def index
diff --git a/ee/app/policies/ee/group_policy.rb b/ee/app/policies/ee/group_policy.rb
index 347584c98eb43f629f95da273476e1f342a8c91f..e2f64de3194aaec82242ae94590b73aea49f17d5 100644
--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -535,6 +535,14 @@ module GroupPolicy
enable :admin_vulnerability
end
+ condition(:resolve_vulnerability_authorized) do
+ ::Gitlab::Llm::Utils::UserAuthorizer.new(@user, subject, :resolve_vulnerability).allowed?
+ end
+
+ rule { can?(:read_security_resource) & resolve_vulnerability_authorized }.policy do
+ enable :resolve_vulnerability_with_ai
+ end
+
rule { custom_role_enables_admin_group_member }.policy do
enable :admin_group_member
enable :update_group_member
diff --git a/ee/spec/controllers/groups/security/vulnerabilities_controller_spec.rb b/ee/spec/controllers/groups/security/vulnerabilities_controller_spec.rb
index 0d4c8e8917bb21fae4af35abf8e2d88dca142e6c..e9735890b035c02f3fdd1c0a5ccfe0dc176fd23e 100644
--- a/ee/spec/controllers/groups/security/vulnerabilities_controller_spec.rb
+++ b/ee/spec/controllers/groups/security/vulnerabilities_controller_spec.rb
@@ -11,7 +11,7 @@
end
describe 'GET index' do
- subject { get :index, params: { group_id: group.to_param } }
+ subject(:show_security_dashboard) { get :index, params: { group_id: group.to_param } }
context 'when security dashboard feature is enabled' do
before do
@@ -26,7 +26,7 @@
it { is_expected.to have_gitlab_http_status(:ok) }
it_behaves_like 'tracks govern usage event', 'users_visiting_security_vulnerabilities' do
- let(:request) { subject }
+ let(:request) { show_security_dashboard }
end
end
@@ -35,7 +35,7 @@
it { is_expected.to render_template(:unavailable) }
it_behaves_like "doesn't track govern usage event", 'users_visiting_security_vulnerabilities' do
- let(:request) { subject }
+ let(:request) { show_security_dashboard }
end
end
end
@@ -45,7 +45,37 @@
it { is_expected.to render_template(:unavailable) }
it_behaves_like "doesn't track govern usage event", 'users_visiting_security_vulnerabilities' do
- let(:request) { subject }
+ let(:request) { show_security_dashboard }
+ end
+ end
+
+ context "when resolveVulnerabilityWithAi ability is allowed" do
+ before do
+ allow(Ability).to receive(:allowed?).and_call_original
+ allow(Ability).to receive(:allowed?).with(user, :resolve_vulnerability_with_ai, group).and_return(true)
+
+ show_security_dashboard
+ end
+
+ render_views
+
+ it 'sets the frontend ability to true when allowed' do
+ expect(response.body).to have_pushed_frontend_ability(resolveVulnerabilityWithAi: true)
+ end
+ end
+
+ context "when resolveVulnerabilityWithAi ability is not allowed" do
+ before do
+ allow(Ability).to receive(:allowed?).and_call_original
+ allow(Ability).to receive(:allowed?).with(user, :resolve_vulnerability_with_ai, group).and_return(false)
+
+ show_security_dashboard
+ end
+
+ render_views
+
+ it 'sets the frontend ability to false not allowed' do
+ expect(response.body).to have_pushed_frontend_ability(resolveVulnerabilityWithAi: false)
end
end
end