Skip to content

Remove not allowed epics properties from issue CSV export

Felipe Cardozo requested to merge issue_371073 into master

What does this MR do and why?

Part of the work to allow cross group epic issues linking.
When an issue belongs to an epic outside of the issue group hierarchy we redact its title when exporting as CSV to prevent leaking information.

We need to do this before removing model validation that blocks cross-group epic issue linking.

To achieve the goal we need to accept user argument on EE::Issues::ExportService and redact not authorized epic titles when rendering the CSV.

related to #371073 (closed)

How to set up and validate locally

  1. Remove the validation that blocks cross-group epic/issue linking: https://gitlab.com/gitlab-org/gitlab/-/blob/5e1036165870cb56aca481d31ab98a80637961de/ee/app/models/epic_issue.rb#L20
  2. Create a private group A with one epic
  3. Create one project B with an issue X
  4. On group A epic add the issue X to the epic using its URL
  5. With a user that does not have access to group A, go to project B issues list and export issues as CSV

The CSV should contain only the epic id for that issue, its title should be blank.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Felipe Cardozo

Merge request reports

Loading