Bug: Confidential Epic Missing at Dropdown for Developers - fix API & graphQL endpoint

Summary

Confidential epics are missing at the Epic dropdown list when assign issue to epic in Issue edit mode for Developers.

Steps to reproduce

Setting Up

  1. Create a group with the following structure:
- Main group 
   - Subgroup 
     - Product group 
       - Test Project

2. Assign User A as a Developer at the Subgroup level
3. Create a confidential epic at Product group level

Now, impersonate/log in as User A

Create a new issue at Test project, regardless of whether it is a confidential issue, the confidential epic does not show at the dropdown list when we are assigning issue to epic at Create issue page and Edit issue from sidebar.

The above scenario is reported by Premium Customer via Internal Ticket.

NOTE: It is severely impacting how GitLab is used for project management within their organization.

Backend problem description

The endpoint http://127.0.0.1:3000/api/v4/groups/112/epics?include_ancestor_groups=true&include_descendant_groups=false does not return any results for the described case.

The problem can be verified also using graphql. With the structure described above (Main group, Subgroup, Product group) the following graphql query returns different results for someone who is member of the "Main" group (confidential epic present) and someone who is only member of the "Subgroup" (confidential epic missing)

{
  workspace: group(fullPath: "main-group/subgroup/product-group") {
    id
    epics(includeAncestorGroups: true, includeDescendantGroups: false) {
      nodes {
        title
        id
      }
    }
  }
}

When I skip the includeAncestorGroups=true param, also a Developer of Subgroup sees the confidential epic correctly.

Example Project

https://gitlab.com/gitlab-gold/emchang-subgroup/sub-group/product-group/test-project/-/issues/2

What is the current bug behavior?

Regardless of whether it is a confidential issue, the confidential epic does not show at the dropdown list when we are assigning issue to epic at Create issue page and Edit issue from sidebar.

User A can view the confidential epic.

What is the expected correct behavior?

Developers should be able to assign issue to confidential epic easily when creating issue or editing issue.

Relevant logs and/or screenshots

Screenshot_2021-11-17_at_3.39.19_PM

Screenshot_2021-11-17_at_3.37.32_PM

Video Demo from User A Point of View:

Output of checks

This issue is happening on GitLab.com (14.5.0-pre d44dcb90)

Workaround

User A can add issue to epic by navigating to the confidential epic and select Add > Add an existing issue.

Possible fixes

Since a Developer is able to assign an issue to a confidential epic, but it's unavailable at the dropdown list, I'm suspecting this could be a frontend issue.

It seems to be a backend issue as the endpoint http://127.0.0.1:3000/api/v4/groups/112/epics?include_ancestor_groups=true&include_descendant_groups=false does not return any results for the described case.

Edited by Jarka Košanová