Quick action /confidential won't work for users with Guest permission or people with no role in public repo
Summary
When a user with Guest permission uses an issue template that contains /confidential quick action to create an issue, it will not be set as confidential and the command is deleted from the description. The same behavior can be seen when the project is internal and an issue is created by someone who has no role in the repository (but can create confidential issues in GUI).
If the user has a Reporter role, then /confidential quick action works as expected.
Please note that this might also be an issue for other quick actions, but we haven't tested it yet.
Steps to reproduce
- Create a public repo
- Create any issue template that contains /confidential quick action
- Try to create the issue from the template as an owner and observe that it is correctly set as confidential
- Do the same with the user that is not added to the repository or has Guest permission.
- Observe that quick action has no effect when the issue is created. However, the user can set it through the GUI.
Example Project
https://gitlab.com/lukasbrchl/test_repo
What is the current bug behavior?
The /confidential quick action won't work for Guests role in the repository or for people with no role but public repo
What is the expected correct behavior?
If the user has permission to set /confidential in GUI, it should also work as a quick action
Output of checks
This bug happens on GitLab.com