Auditor/Admin users cannot view Value Stream Analytics on projects they are not a member of

Summary

Auditor/Admin users cannot view Value Stream Analytics on projects they are not a member of

Steps to reproduce

• Create a new Group and new project as a regular user. (Not an Administrator or Auditor)
• Navigate to the Project.
• As the regular user, on the Project sidebar, observe you can see the Analyze -> Value Stream Analytics item.
• Login as the Auditor user, and navigate to the project.
• Observe you *cannot see the Analyze -> Value Stream Analytics item.
• Login as the Administrator user, and navigate to the project.
• Observe you *cannot see the Analyze -> Value Stream Analytics item.

What is the current bug behavior?

Administrators and Auditor users cannot view Project level Value Stream Analytics unless they are a member of the group.

What is the expected correct behavior?

Administrators and Auditor users should be able to view Project level Value Stream Analytics of any project.

Relevant logs and/or screenshots

Output of checks

This bug happens on GitLab.com. Also occurs on GitLab 16.1.0

Possible fixes

• Here is where the policy is used to display the item in the sidebar: https://gitlab.com/gitlab-org/gitlab/-/blob/ac81caf9ec1738848a030d1bcfd262ea8fc2c80f/lib/sidebars/projects/menus/analytics_menu.rb#L85
• It appears that unless the account is a member of the project, the accounts' permission to view value stream analytics is prevented: https://gitlab.com/gitlab-org/gitlab/-/blob/ac81caf9ec1738848a030d1bcfd262ea8fc2c80f/ee/app/policies/ee/project_policy.rb#L381-384
  • As a test on my 16.1 test environment, I commented out this rule. After restarting GitLab, my administrator account was able to view the value stream analytics of a project that the account was not a member of.