Skip to content

Update related epic links permissions

Eugenia Grieffrequested to merge
397073-epic-relations-non-members-related-link into master

Related to #424754 (closed)

What does this MR do and why?

As part of #397073 (closed) we want to update the permissions required for relating (aka linking) epics.

Summary of changes:

  • Currently, we require the user to have a Guest role in both epic groups but we want to lower this requirement so users who can read both epics can also relate them.

  • For this, we'll use admin_epic_link_relation and read_epic_link_relation policies (behind the feature flag epic_relations_for_non_members).

  • In the case of a private group, the Guest role would still be the minimum required but in a public group, a non-member will now have access to this action. In the case of confidential epics, the minimum continues to be a Reporter role.

  • Both policies check the same permissions (the user is signed-in and can read the epic) but admin_epic_link_relation also checks that the licensed feature related_epics is available. This distinction is needed because we only check license in the source epic.

  • These policies are used in RelatedEpicLinksController, API::RelatedEpicLinks, and RelatedEpicLinks services, so this MR updated specs accordingly.

  • The same permissions apply to removing the relation.

  • As this is part of a larger change that includes other epic relationships, the changes will be behind the FF disabled by default until the update is complete.

How to set up and validate locally

  1. Create 2 public groups with an epic each
root = User.first
group1 = Group.create!(name: 'Test Group 1', path: 'test-group1', owner: root)
group2 = Group.create!(name: 'Test Group 2', path: 'test-group2', owner: root)
epic1 = Epic.create!(title: 'Test Epic 1', author: root, group: group1)
epic2 = Epic.create!(title: 'Test Epic 2', author: root, group: group2)
  1. Sing in with a user different than root and visit https://gdk.test:3000/groups/test-group1/-/epics/1
  2. Verify that the Linked epics widget doesn’t include the button Add
  3. Visit https://gdk.test:3000/-/profile/personal_access_tokens and create an access token with API access
  4. Verify that the user cannot add the related epic using the REST endpoint either
export GITLAB_PAT=<your api token>

curl --header "PRIVATE-TOKEN: $GITLAB_PAT" -d target_group_id=test-group2 -d target_epic_iid=1 https://gdk.test:3000/api/v4/groups/test-group1/epics/1/related_epics
#response => {"message":"403 Forbidden"}
  1. Enable the feature flag in Rails console Feature.enable(:epic_relations_for_non_members)
  2. Visit the first epic again and verify that the Add button is shown and that adding the epic https://gdk.test:3000/groups/test-group2/-/epics/1 succeeds
  3. Remove the related epic and try adding it again using the REST endpoint, the request should success and return the created link

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Eugenia Grieff

Merge request reports