Guest users are not able to add emojis to work items
A user with guest access should be able to add/remove emojis despite not having permissions to update the work item.
We are observing this bug because the GraphQL mutation that updates all widgets checks update_work_item
permission when this particular widget requires the more lenient award_emoji
permission.
Steps to replicate
- Log in as a
Guest
user and visit a work item in the project, for examplehttps://gdk.test:3000/gitlab-org/gitlab-test/-/work_items/1
- Click on the emoji icon to see the error
Screen_Recording_2023-05-24_at_11.52.36
Proposal
Update the mutation we use for adding/removing emojis to use awardEmojiToggle
.
example queries
mutation toggleThumbsUp {
awardEmojiToggle(input: {awardableId: "gid://gitlab/WorkItem/126929459", name: "thumbsup"}) {
errors
toggledOn
}
}
mutation toggleThumbsDown {
awardEmojiToggle(input: {awardableId: "gid://gitlab/WorkItem/126929459", name: "thumbsdown"}) {
errors
toggledOn
}
}
mutation addEmoji {
awardEmojiAdd(input: {awardableId: "gid://gitlab/WorkItem/126929459", name: "rocket"}) {
errors
}
}
mutation removeEmoji {
awardEmojiRemove(input: {awardableId: "gid://gitlab/WorkItem/126929459", name: "rocket"}) {
errors
}
}
query getEmoji {
workItem(id:"gid://gitlab/WorkItem/126929459") {
id
widgets {
... on WorkItemWidgetAwardEmoji {
awardEmoji {
edges {
node {
name
}
}
}
}
}
}
}
Edited by Eugenia Grieff