Update permissions to link child epics
Related to #382503 (closed)
What does this MR do and why?
As part of &9232 (closed) we want to update the role required to set add a child epic from Reporter to Guest.
This MR adds the abilities :admin_epic_relation and :admin_epic_tree_relation to EpicPolicy to replace the use :admin_epic_link in the following actions:
| Action | Permissions required |
|---|---|
| Add child epic | The subepics and epics features are available and the user has at least Guest role in the group |
| Remove child epic | The epics feature is available and the user has at least Guest role in the group |
| Reorder child epic | The subepics and epics features are available and the user has at least Guest role in the group |
Note: The requirements apply to both child and parent epics group
Note 2: For all actions, the user has to be able to read the epics so a Guest role would be insufficient if the epic was confidential (a Reporter role is required in this case).
The reason to add 2 new policies :admin_epic_relation and :admin_epic_tree_relation is because we'll use the more generic one :admin_epic_relation to replace :admin_epic in linking epics and adding issues, while only using :admin_epic_tree_relation for the epic tree where we need to additionally check for subepics feature.
The changes in this MR cover:
- Documentation update
-
EpicLinks::services - Internal, REST and GraphQL endpoints
Pending tasks:
- Update permissions for epic quick actions: !106558 (merged)
- Update permissions for the epic tree in the FE: !106434 (merged)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #382503 (closed)