Guest users are not able to create todos for work items
A user with guest access should be able to create todos and mark them as done despite not having permissions to update the work item.
We are observing this bug because the GraphQL mutation that updates all widgets checks update_work_item
permission when this particular widget requires the more lenient create_todo
permission.
Steps to replicate
- Log in as a
Guest
user and visit a work item in the project, for examplehttps://gdk.test:3000/gitlab-org/gitlab-test/-/work_items/1
- Click on the Todo icon to see the error
Screen_Recording_2023-05-24_at_11.48.55
Proposal
Use TodoCreate
and TodoMarkDone
for work items
Edited by Eugenia Grieff