Update permissions for epic-issue links (!107964) · Merge requests · GitLab.org / GitLab

Eugenia Grieff requested to merge 382506-group-minimum-role-should-be-guest-for-adding-child-issue into master Jan 02, 2023

Related to #382506 (closed)

What does this MR do and why?

As part of Group minimum role should be Guest for epic rel... (&9232 - closed) we need to update permissions to link issues to epics, to require Guest access instead of Reporter access.

Before	After
`admin_epic_issue`	`admin_issue_relation`
Permission checks: have `Reporter` access for the issue's project	Permission checks: have `Guest` access for the issue's project and can read the issue

Before	After
`admin_epic`	`admin_epic_relation`
Permission checks: have `Reporter` access for the epic's group	Permission checks: have `Guest` access for the epic's group and can read the epic

This MR updates permissions for the following actions

Services:

EE::Issues::BaseService: Creating a new issue that includes epic_id param
EpicIssue:CreateService: Creating a new epic-issue link
EpicIssue:DestroyService: Delete an epic-issue link
Epics::TreeReorderService: Reorder child issues

Internal endpoints

Groups::EpicIssuesController: Create, update and delete epic-issue link

REST endpoints

API::EpicIssues: Create, update and delete epic-issue link
API::Issues: Create an issue with a linked epic

GraphQL mutations:

EpicAddIssue
EpicTreeReorder

How to set up and validate locally

Via UI

Create a group with a project and an epic.
Create two issues in the project, one of them confidential
Visit the epic impersonating a Guest user and ensure that the user can add a new child issue
Ensure that the user can add the existing non-confidential issue as child issue
The guest user should be able to reorder the child issues too

add_child_issue

With REST endpoints (link documentation)

Create a personal access token for the guest user and test the following requests

Create links

export GUEST_PAT=<your_access_token>

# Create link with an existing issue, should succeed
curl --request POST --header "PRIVATE-TOKEN: $GUEST_PAT" "http://gdk.test:3000/api/v4/groups/$GROUP_ID/epics/$EPIC_IID/issues/$ISSUE_ID"
#=> Should succeed and 

# Create link with an existing confidential issue, should not succeed
curl --request POST --header "PRIVATE-TOKEN: $GUEST_PAT" "http://gdk.test:3000/api/v4/groups/$GROUP_ID/epics/$EPIC_IID/issues/$CONFIDENTIAL_ISSSUE_ID"
#=> {"message":"403 Forbidden"}

# Create a new issue and link it to the epic, should not succeed
curl --request POST --header "PRIVATE-TOKEN: $GUEST_PAT" "http://gdk.test:3000/api/v4/projects/$PROJECT_ID/issues?title=New%20child%20issue&epic_iid=$EPIC_IID"

Reorder links

curl --request PUT --header "PRIVATE-TOKEN: $GUEST_PAT" "http://gdk.test:3000/api/v4/groups/$GROUP_ID/epics/$EPIC_IID/issues/$EPID_ISSUE_ID_2?move_before_id=$EPID_ISSUE_ID_1"

Delete links

curl --request DELETE --header "PRIVATE-TOKEN: $GUEST_PAT" "http://gdk.test:3000/api/v4/groups/$GROUP_ID/epics/$EPIC_IID/issues/$EPID_ISSUE_ID_1"

With GraphQL

Add issue to epic example mutation

mutation addIssue {
  epicAddIssue(input: {projectPath: "group-a/project-a", groupPath: "group-a", iid: "32", issueIid: "19"}) {
    epicIssue {
      epicIssueId
    }
    epic {
      issues {
        edges {
          node {
            title
          }
        }
      }
    }
    errors
  }
}

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Edited Jan 10, 2023 by Eugenia Grieff

Update permissions for epic-issue links