Fix permissions to create work items parent links (!92425) · Merge requests · GitLab.org / GitLab

Eugenia Grieff requested to merge fix-create-work-item-links-permissions into master Jul 14, 2022

What does this MR do and why?

When assigning a parent to a work item, the user needs to have at least a reporter role in the parent's project. The same applies to assigning children.

Currently, we are checking for update_work_item permissions that are more permissive (allows author and assignees too) so this needs to be updated.

In this MR we add a new admin_parent_link rule to WorkItemPolicy that will be enabled only for reporters and update ParentLinks::CreateService and ParentLinks::DestroyService` to use this rule instead.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Jul 14, 2022 by Eugenia Grieff

Fix permissions to create work items parent links

What does this MR do and why?

How to set up and validate locally

MR acceptance checklist

Merge request reports