Guest project members are not allowed to create notes on work items
Some validation in the frontend is not allowing guest project members to create notes on work items. This is possible through the legacy issue interface
From the backend perspective, it is possible to create a note as a guest member using the GraphQL API
Related thread in https://gitlab.slack.com/archives/C72HPNV97/p1684510610684919 (internal only)
Designs
- Show closed items
Activity
-
Newest first Oldest first
-
Show all activity Show comments only Show history only
- Mario Celi added groupproject management label
added groupproject management label
- 🤖 GitLab Bot 🤖 added devopsplan sectiondev labels
added devopsplan sectiondev labels
- Maintainer
Setting label(s) Category:Team Planning based on groupproject management.
- 🤖 GitLab Bot 🤖 added Category:Team Planning label
added Category:Team Planning label
- Maintainer
I checked where this permission is coming from in frontend in Work items
We are checking the workItem user permission ,
updateWorkItem
flag for the logged in user.updateWorkItem
is coming to be false for the logged in user.
In issues ( issuables ) , we are checking the
can_create_note
flag which is set in the backend by the following code
So there is a difference in the flag that is being received by the backend in issuables and work items.
Should we be using a different flag to check if the guest user can comment or not in a work item ? Unless there is some discrepancy in the logic that is implemented for the two
Edited by Deepika Guliani 1 Collapse replies - Maintainer
@deepika.guliani Indeed
updateWorkItem
is too restrictive and we should be checkingread_note
ability instead. I've opened an MR to expose this permission: !121329 (merged).Although we can't use it in this milestone due to multi-version compatibility, so should we use
readWorkItem
for now? I believe these are equally dependent onguest_access
. - Maintainer
Sure @egrieff
We can do that.I can open an MR to use this permission for create note permission , which should be changed later to
readNote
on when the backend MR is merged.Edited by Deepika Guliani - Maintainer
MR created to fix the bug here Change work item add note permission to `create... (!121357 - merged)
- Maintainer
we should not use read work item permission to check if user can create note, that opens another bug, let's make sure we pass in the correct create_note permission.
- Maintainer
Okay , I think we should come to a conclusion before we make any frontend changes here , I am setting the MR to Draft for now.
- Author Maintainer
Yes, it's definitively create_note, and from what I can see in @egrieff MR, she already accounted for that in !121329 (merged)
- Maintainer
Updated the MR to use createNote since the backend is merged now , but will have to wait till 16.2 to get it merged
1 - Maintainer
@deepika.guliani Thanks for the quick fix! I've changed the milestone now to indicate we're waiting until %16.2.
1 - Maintainer
Thank you for quick backend MR for the same
Could not have done it without your collaboration 1
- Eugenia Grieff mentioned in merge request !121329 (merged)
mentioned in merge request !121329 (merged)
- Eugenia Grieff added bugfunctional typebug labels
added bugfunctional typebug labels
- Deepika Guliani assigned to @deepika.guliani
assigned to @deepika.guliani
- Deepika Guliani assigned to @egrieff
assigned to @egrieff
- Deepika Guliani mentioned in merge request !121357 (merged)
mentioned in merge request !121357 (merged)
- Eugenia Grieff changed milestone to %16.1
changed milestone to %16.1
- Eugenia Grieff added backend frontend labels
- Eugenia Grieff mentioned in issue #404601 (closed)
mentioned in issue #404601 (closed)
- Donald Cook marked #404601 (closed) as a duplicate of this issue
marked #404601 (closed) as a duplicate of this issue
- Donald Cook marked this issue as related to #404601 (closed)
marked this issue as related to #404601 (closed)
- Deepika Guliani added workflowin dev label
added workflowin dev label
- Maintainer
The backend work !121329 (merged) was verified in production so we can add backend complete for this issue.
The frontend work will be merged in %16.2 due to multi-version compatibility requirement
testing query
query getWorkItemsPermissions { project(fullPath: "gitlab-org/plan-stage/test-project") { workItems(first: 1) { edges { node { userPermissions { createNote } } } } } }
{ "data": { "project": { "workItems": { "edges": [ { "node": { "userPermissions": { "createNote": true } } } ] } } } }
Edited by Eugenia Grieff - Eugenia Grieff changed milestone to %16.2
changed milestone to %16.2
- Eugenia Grieff added backend complete label
added backend complete label
- Eugenia Grieff marked this issue as related to #412826 (closed)
marked this issue as related to #412826 (closed)
- Eugenia Grieff added to epic &10694
added to epic &10694
- Eugenia Grieff set weight to 2
set weight to 2
- Eugenia Grieff unassigned @egrieff
unassigned @egrieff
- Maintainer
@egrieff Hey
This should be available on gitlab.com now , can you also verify please ?thank you
Collapse replies - Maintainer
@deepika.guliani I can now comment on a work item as a guest. Thanks
- Deepika Guliani added workflowproduction label and removed workflowin dev label
added workflowproduction label and removed workflowin dev label
- Maintainer
Verified on GitLab Enterprise Edition 16.1.0-pre eff00776
- Deepika Guliani closed
closed
- John Hope mentioned in merge request gitlab-org/quality/triage-ops!2240 (merged)
mentioned in merge request gitlab-org/quality/triage-ops!2240 (merged)
- 🤖 GitLab Bot 🤖 mentioned in issue gitlab-org/quality/triage-reports#13270
mentioned in issue gitlab-org/quality/triage-reports#13270