Follow-up from "Implement iteration cadences resolver"
The following discussion from !55422 (merged) should be addressed:
-
@mayra-cabrera started a discussion: (+2 comments) Thanks for checking if the user has access to the info!
Instead of validating the right permission for every group, I wonder if we should check if the user has access to
@group
. Or, is there any scenario in which the user will have access to the@group
but it won't have accessread_iteration_cadence
to thegroup.ancestors
?
This is a good question. I think this is worth a wider discussion as it affects all resources that roll-down the hierarchy, i.e. if a resource is defined at a parent level group(eg: label, iteration, milestone, cadence, etc) and rolls-down to the child group, then checking the read permission on child group should perhaps guarantee access to the rolling-down resources as well, or else those could not be used in child group. On the other hand, our permissions work so that any user that has read permission in child group gets read permission in parent groups as well, which defeats the granularity of group permissions
Having all that however, the current adopted approach seem to be to check the permission on each group, and there seem to be some optimisation on case of groups within same hierarchy that I skipped initially and have applied now as well: https://gitlab.com/gitlab-org/gitlab/blob/master/ee/app/models/ee/group.rb#L160
Similar permission checks: