Update controller permissions to set parent of an epic
Related to #397073 (closed)
What does this MR do and why?
This is a follow-up to !131559 (merged) where we updated permissions to set the parent of an epic at the service level.
This MR covers the controller permissions so that a non-member can set the parent of an epic via UI as long as they can read the parent and have Guest role in the child epic's group. This update also applies to removing the parent.
I skipped adding a changelog because the changes are behind the feature flag epic_relations_for_non_members, disabled by default.
Screenshots or screen recordings
| FF disabled | FF enabled |
|---|---|
| A user that is not a member of the parent's group cannot see the option to add a child epic | A user that is not a member of the parent's group can see the option to add a child epic |
 |
 |
A user that is not a member of the parent's group can add and remove a child epic if they have Guest role in the child's group:
How to set up and validate locally
- Create two public groups
Group 1andGroup 2 - Create an epic
ChildinGroup 1and an epicParentinGroup 2 - Invite a user to
Group 1with theGuestrole and sign in as that user - Visit the
Parentepic and click on the buttonAddon the right side of the Child issues and epics widget to verify it doesn't display the option to add a child epic (due to FF being disabled) - In the rails console enable the feature flag
Feature.enable(:epic_relations_for_non_members) - Reload the page for the
Parentepic and check thatAdd an existing epicis now displayed when clickingAdd - Use the URL for
Childto add it as a child. Verify that the child is added correctly and included in the children list - Verify that the child displays the
xbutton and that it can be removed by this user
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.