Allow only project/group reporters to read and create internal notes
What does this MR do and why?
Do not allow issue/epic, authors guest or assignees to create and view internal notes.
We should also prevent the users under the circumstances above being able to find these notes using elastic search. This will be done in a follow-up.
related to #363045 (closed)
How to set up and validate locally
- Create an issue as a
Guest
user - Post an internal note from another
Reporter+
user - Check if the
Guest
user can see the internal notes from theReporter+
user
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Felipe Cardozo