Skip to content

Update controller permissions to set parent of an epic

Related to #397073 (closed)

What does this MR do and why?

This is a follow-up to !131559 (merged) where we updated permissions to set the parent of an epic at the service level.

This MR covers the controller permissions so that a non-member can set the parent of an epic via UI as long as they can read the parent and have Guest role in the child epic's group. This update also applies to removing the parent.

I skipped adding a changelog because the changes are behind the feature flag epic_relations_for_non_members, disabled by default.

Screenshots or screen recordings

FF disabled FF enabled
A user that is not a member of the parent's group cannot see the option to add a child epic A user that is not a member of the parent's group can see the option to add a child epic
Screenshot_2023-10-31_at_11.03.26 Screenshot_2023-10-31_at_12.56.07

A user that is not a member of the parent's group can add and remove a child epic if they have Guest role in the child's group:

ui_set_parent_as_non_member

How to set up and validate locally

  1. Create two public groups Group 1 and Group 2
  2. Create an epic Child in Group 1 and an epic Parent in Group 2
  3. Invite a user to Group 1 with the Guest role and sign in as that user
  4. Visit the Parent epic and click on the button Add on the right side of the Child issues and epics widget to verify it doesn't display the option to add a child epic (due to FF being disabled)
  5. In the rails console enable the feature flag Feature.enable(:epic_relations_for_non_members)
  6. Reload the page for the Parent epic and check that Add an existing epic is now displayed when clicking Add
  7. Use the URL for Child to add it as a child. Verify that the child is added correctly and included in the children list
  8. Verify that the child displays the x button and that it can be removed by this user

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Eugenia Grieff

Merge request reports

Loading