Skip to content

Allow only project/group reporters to read and create internal notes

Felipe Cardozo requested to merge issue_363045 into master

What does this MR do and why?

Do not allow issue/epic, authors guest or assignees to create and view internal notes.

We should also prevent the users under the circumstances above being able to find these notes using elastic search. This will be done in a follow-up.

related to #363045 (closed)

How to set up and validate locally

  1. Create an issue as a Guest user
  2. Post an internal note from another Reporter+ user
  3. Check if the Guest user can see the internal notes from the Reporter+ user

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Felipe Cardozo

Merge request reports

Loading