Update permissions for epic quick actions
Related to #382503 (closed)
What does this MR do and why?
As a follow up to !106415 (merged) which updated the role required to add and remove child epics (from Reporter
to Guest
) we need to update ee/lib/ee/gitlab/quick_actions/epic_actions.rb
to match them these new permissions.
I did some refactoring so be able to reuse existing code but the key differences are:
- Instead of requiring
:admin_epic
for the target epic, we'll require:admin_epic_tree_relation
This ability is more lenient than :admin_epic
. It requires Guest
role instead of Reporter
but includes includes a check for the subepics
feature.
- Instead of requiring
:read_epic
for the parent or child epic, we'll require:admin_epic_tree_relation
.
This ability is more strict than :read_epic
because non-member can sometimes read epics, but this change is necessary for cross-group child epics feature and it should have been updated to :admin_epics
when implementing that feature.
How to set up and validate locally
- Create two epics in a public group
- Visit one of the epics impersonating a user with the
Guest
role - Add the other epic as a parent using the command
/parent_epic epic_url
. This should not raise any errors. - Remove the parent using the command
/remove_parent_epic
- Add the other epic as a child using the command
/child_epic epic_url
. - Remove the added child with
/remove_child_epic epic_url
.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.