Check correct permissions before showing Release Evidence link (!73574) · Merge requests · GitLab.org / GitLab

Alishan Ladhani requested to merge ali/fix-release-evidence-permission into master Nov 02, 2021

What does this MR do and why?

Change EvidenceType to check if user is authorized to read_release_evidence. This rule is already used when downloading Release Evidence (see controller).

The read_release_evidence rule checks download_code and a few other rules internally (see policy).

Related to #208397 (closed)

Screenshots or screen recordings

When user can `read_release_evidence`

When user cannot `read_release_evidence`

How to set up and validate locally

Create a Release.
Wait for Release Evidence to be created.
- The Release should show a link to the Evidence (see screenshots above).
Turn off Issues in the project's settings.
- read_release_evidence requires read_issue, so it will return false when Issues are turned off.
The Release should not show a link to the Evidence anymore.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Nov 03, 2021 by Alishan Ladhani

Check correct permissions before showing Release Evidence link

What does this MR do and why?

Screenshots or screen recordings

When user can read_release_evidence

When user cannot read_release_evidence

How to set up and validate locally

MR acceptance checklist

Merge request reports

When user can `read_release_evidence`

When user cannot `read_release_evidence`