Merged
requested to merge 23872-members-of-group-that-has-project-access-getting-404-on-accessing-a-project-issue into master
What does this MR do?
Among other things, ensure that users who have access to a project through a group link can see confidential issues.
Are there points in the code the reviewer needs to double check?
I tried to keep the change as minimal as possible.
Why was this MR needed?
ProjectTeam#find_member doesn't take group links into account. It was
used in two places:
- An admin view - it can stay here.
-
ProjectTeam#member?, which is often used to decide if a user has access to view something.
This second part broke confidential issues viewing. IssuesFinder ends
up delegating to Project#authorized_for_user?, which does consider
group links, so users with access to the project via a group link could
see confidential issues on the index page. However, IssuesPolicy used
ProjectTeam#member?, so the same user couldn't view the issue when
going to it directly.
Does this MR meet the acceptance criteria?
- Tests
-
Added for this feature/bug -
All builds are passing
-
-
Conform by the merge request performance guides -
Conform by the style guides -
Branch has no merge conflicts with master(if it does - rebase it please) -
Squashed related commits together
What are the relevant issue numbers?
Closes #23872 (closed).