Update related epic links permissions
Related to #424754 (closed)
What does this MR do and why?
As part of #397073 (closed) we want to update the permissions required for relating (aka linking) epics.
Summary of changes:
-
Currently, we require the user to have a
Guest
role in both epic groups but we want to lower this requirement so users who can read both epics can also relate them. -
For this, we'll use
admin_epic_link_relation
andread_epic_link_relation
policies (behind the feature flagepic_relations_for_non_members
). -
In the case of a private group, the
Guest
role would still be the minimum required but in a public group, a non-member will now have access to this action. In the case of confidential epics, the minimum continues to be aReporter
role. -
Both policies check the same permissions (the user is signed-in and can read the epic) but
admin_epic_link_relation
also checks that the licensed featurerelated_epics
is available. This distinction is needed because we only check license in the source epic. -
These policies are used in
RelatedEpicLinksController
,API::RelatedEpicLinks
, andRelatedEpicLinks
services, so this MR updated specs accordingly. -
The same permissions apply to removing the relation.
-
As this is part of a larger change that includes other epic relationships, the changes will be behind the FF disabled by default until the update is complete.
How to set up and validate locally
- Create 2 public groups with an epic each
root = User.first
group1 = Group.create!(name: 'Test Group 1', path: 'test-group1', owner: root)
group2 = Group.create!(name: 'Test Group 2', path: 'test-group2', owner: root)
epic1 = Epic.create!(title: 'Test Epic 1', author: root, group: group1)
epic2 = Epic.create!(title: 'Test Epic 2', author: root, group: group2)
- Sing in with a user different than
root
and visithttps://gdk.test:3000/groups/test-group1/-/epics/1
- Verify that the
Linked epics
widget doesn’t include the buttonAdd
- Visit
https://gdk.test:3000/-/profile/personal_access_tokens
and create an access token with API access - Verify that the user cannot add the related epic using the REST endpoint either
export GITLAB_PAT=<your api token>
curl --header "PRIVATE-TOKEN: $GITLAB_PAT" -d target_group_id=test-group2 -d target_epic_iid=1 https://gdk.test:3000/api/v4/groups/test-group1/epics/1/related_epics
#response => {"message":"403 Forbidden"}
- Enable the feature flag in Rails console
Feature.enable(:epic_relations_for_non_members)
- Visit the first epic again and verify that the
Add
button is shown and that adding the epichttps://gdk.test:3000/groups/test-group2/-/epics/1
succeeds - Remove the related epic and try adding it again using the REST endpoint, the request should success and return the created link
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.