Guest members cannot set metadata for issues they have authored

If a user is a Guest member of a project they have the ability :update_issue for issues they authored or are assigned to:

issuable_policy

# app/policies/issuable_policy.rb:22
  rule { can?(:guest_access) & assignee_or_author & ~is_incident }.policy do
    enable :read_issue
    enable :update_issue
    enable :reopen_issue
  end

But the ability set_issue_metadata is restricted to them because the issue is already persisted:

issue_policy

# app/policies/issue_policy.rb:81
  rule { ~persisted & is_project_member & can?(:guest_access) }.policy do
    enable :set_issue_metadata
  end

These permissions impact work items as they rely on set_issue_metadata to set set_work_item_metadata which results in an author not being able to update their work item if they have guest access:

Screen_Recording_2023-05-24_at_10.15.45

This inconsistency can be also be seen by querying the work items' permissions with the guest user:

GraphQL query

query getWorkItemsPermissions {
  project(fullPath: "<project-path>") {
    work-items(iid: "<guest_user_work_item_iid>") {
      edges {
        node {
          userPermissions {
            updateWorkItem
            setWorkItemMetadata
          }
        }
      }
    }
  }
}

{
  "data": {
    "project": {
      "workItems": {
        "edges": [
          {
            "node": {
              "id": "gid://gitlab/WorkItem/128207359",
              "iid": "3",
              "title": "Issue authored by guest",
              "userPermissions": {
                "updateWorkItem": true,
                "setWorkItemMetadata": false
              }
            }
          }
        ]
      }
    }
  }
}

Proposal

Add an extra rule for enabling set_issue_metadata when the user can update the issue:

# app/policies/issue_policy.rb

rule { can?(:update_issue) }.enable :set_issue_metadata

added backend bugfunctional permissions typebug work items labels

set weight to 2

marked this issue as related to #412340 (closed)

changed milestone to %Backlog

added workflowready for development label

marked this issue as related to #412829 (closed)

marked this issue as related to #412830 (closed)

marked this issue as related to #412831 (closed)

added to epic &10694

This issue was automatically tagged with the label Engineering Productivity by TanukiStan, a machine learning classification model, with a probability of 0.92.

If this label is incorrect, please tag this issue with the correct group label as well as automation:ml wrong to help TanukiStan learn from its mistakes.

If you are unsure about the correct group, please do not leave the issue without a group label. Please refer to GitLab's shared responsibility functionality guidelines for more information on how to triage this kind of issues.

Authors who do not have permission to update labels can leave the issue to be triaged by group leaders initially assigned by TanukiStan

This message was generated automatically. You're welcome to improve it.

added Engineering Productivity automation:ml labels

changed milestone to %16.2

assigned to @egrieff

After further investigation, I found this to be expected behavior.

closed