Use EpicsFinder when listing epics
When user can set particular epics as confidential, we should make sure that access to these confidential epics is properly checked. We will make sure that EpicsFinder will handle confidential filtering properly in a separate issue, but we should make sure that we either use EpicsFinder wherever we list epics, or that we check access to epic properly.
I think that this is primarily related to read_epic permission check, for admin_epic, update_epic... we check that user has at least reporter permission (which is also sufficient for access confidential access).
Some places which will need an update:
- autocompletion, although FE doesn't support sub-group epics, I think we can still use EpicsFinder and list just epics in the single group as we do now (EpicsFinder should support this)
-
ee/lib/ee/api/entities/issue.rb
- we should check if user can read issue's epic directly (not through issue.project.group)
There are might more so weight might change accordignly
Related to #197339 (closed)