Skip to content

Allow assigning of guests to confidential issues

What does this MR do and why?

Allows Guest-level assignees when updating issues. This is already possible on issue creation.

This is a chicken and egg problem:

  1. A Guest user can only view a confidential issue if they are the author or assignee
  2. A user can only be assigned to an issue if they can view the issue

Since we check permissions first before setting the assignee, the assignment fails.

This MR changes the permission check so that it checks :read_issue permission on the parent. So if a user can read regular issues on the project, they can be assigned to confidential issues.

Related to #217613 (closed)

How to set up and validate locally

  1. Create a confidential issue
  2. Assign a Guest user (or a non-member if project is public)

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Heinrich Lee Yu

Merge request reports

Loading