Auditor/Admin users cannot view Value Stream Analytics on projects they are not a member of
Summary
Auditor/Admin users cannot view Value Stream Analytics on projects they are not a member of
Steps to reproduce
- Create a new Group and new project as a regular user. (Not an Administrator or Auditor)
- Navigate to the Project.
- As the regular user, on the Project sidebar, observe you can see the
Analyze
->Value Stream Analytics
item. - Login as the Auditor user, and navigate to the project.
- Observe you *cannot see the
Analyze
->Value Stream Analytics
item. - Login as the Administrator user, and navigate to the project.
- Observe you *cannot see the
Analyze
->Value Stream Analytics
item.
What is the current bug behavior?
Administrators and Auditor users cannot view Project level Value Stream Analytics
unless they are a member of the group.
What is the expected correct behavior?
Administrators and Auditor users should be able to view Project level Value Stream Analytics
of any project.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com. Also occurs on GitLab 16.1.0
Possible fixes
- Here is where the policy is used to display the item in the sidebar: https://gitlab.com/gitlab-org/gitlab/-/blob/ac81caf9ec1738848a030d1bcfd262ea8fc2c80f/lib/sidebars/projects/menus/analytics_menu.rb#L85
- It appears that unless the account is a member of the project, the accounts' permission to view value stream analytics is prevented: https://gitlab.com/gitlab-org/gitlab/-/blob/ac81caf9ec1738848a030d1bcfd262ea8fc2c80f/ee/app/policies/ee/project_policy.rb#L381-384
- As a test on my 16.1 test environment, I commented out this rule. After restarting GitLab, my administrator account was able to view the value stream analytics of a project that the account was not a member of.
Edited by Kenneth Chu