Remove not allowed epics properties from issue CSV export
What does this MR do and why?
Part of the work to allow cross group epic issues linking.
When an issue belongs to an epic outside of the issue group hierarchy we redact
its title when exporting as CSV to prevent leaking information.
We need to do this before removing model validation that blocks cross-group epic issue linking.
To achieve the goal we need to accept user
argument on EE::Issues::ExportService
and
redact not authorized epic titles when rendering the CSV.
related to #371073 (closed)
How to set up and validate locally
- Remove the validation that blocks cross-group epic/issue linking: https://gitlab.com/gitlab-org/gitlab/-/blob/5e1036165870cb56aca481d31ab98a80637961de/ee/app/models/epic_issue.rb#L20
- Create a private group A with one epic
- Create one project B with an issue X
- On group A epic add the issue X to the epic using its URL
- With a user that does not have access to group A, go to project B issues list and export issues as CSV
The CSV should contain only the epic id for that issue, its title should be blank.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Felipe Cardozo