Update permissions for epic-issue links
Related to #382506 (closed)
What does this MR do and why?
As part of Group minimum role should be Guest for epic rel... (&9232 - closed) we need to update permissions to link issues to epics, to require Guest access instead of Reporter access.
Before | After |
---|---|
admin_epic_issue |
admin_issue_relation |
Permission checks: have Reporter access for the issue's project |
Permission checks: have Guest access for the issue's project and can read the issue |
Before | After |
---|---|
admin_epic |
admin_epic_relation |
Permission checks: have Reporter access for the epic's group |
Permission checks: have Guest access for the epic's group and can read the epic |
This MR updates permissions for the following actions
Services:
-
EE::Issues::BaseService
: Creating a new issue that includesepic_id
param -
EpicIssue:CreateService
: Creating a new epic-issue link -
EpicIssue:DestroyService
: Delete an epic-issue link -
Epics::TreeReorderService
: Reorder child issues
Internal endpoints
-
Groups::EpicIssuesController
: Create, update and delete epic-issue link
REST endpoints
-
API::EpicIssues
: Create, update and delete epic-issue link -
API::Issues
: Create an issue with a linked epic
GraphQL mutations:
EpicAddIssue
EpicTreeReorder
How to set up and validate locally
Via UI
- Create a group with a project and an epic.
- Create two issues in the project, one of them confidential
- Visit the epic impersonating a
Guest
user and ensure that the user can add a new child issue - Ensure that the user can add the existing non-confidential issue as child issue
- The guest user should be able to reorder the child issues too
link documentation)
With REST endpoints (Create a personal access token for the guest user and test the following requests
Create links
export GUEST_PAT=<your_access_token>
# Create link with an existing issue, should succeed
curl --request POST --header "PRIVATE-TOKEN: $GUEST_PAT" "http://gdk.test:3000/api/v4/groups/$GROUP_ID/epics/$EPIC_IID/issues/$ISSUE_ID"
#=> Should succeed and
# Create link with an existing confidential issue, should not succeed
curl --request POST --header "PRIVATE-TOKEN: $GUEST_PAT" "http://gdk.test:3000/api/v4/groups/$GROUP_ID/epics/$EPIC_IID/issues/$CONFIDENTIAL_ISSSUE_ID"
#=> {"message":"403 Forbidden"}
# Create a new issue and link it to the epic, should not succeed
curl --request POST --header "PRIVATE-TOKEN: $GUEST_PAT" "http://gdk.test:3000/api/v4/projects/$PROJECT_ID/issues?title=New%20child%20issue&epic_iid=$EPIC_IID"
Reorder links
curl --request PUT --header "PRIVATE-TOKEN: $GUEST_PAT" "http://gdk.test:3000/api/v4/groups/$GROUP_ID/epics/$EPIC_IID/issues/$EPID_ISSUE_ID_2?move_before_id=$EPID_ISSUE_ID_1"
Delete links
curl --request DELETE --header "PRIVATE-TOKEN: $GUEST_PAT" "http://gdk.test:3000/api/v4/groups/$GROUP_ID/epics/$EPIC_IID/issues/$EPID_ISSUE_ID_1"
With GraphQL
Add issue to epic example mutation
mutation addIssue {
epicAddIssue(input: {projectPath: "group-a/project-a", groupPath: "group-a", iid: "32", issueIid: "19"}) {
epicIssue {
epicIssueId
}
epic {
issues {
edges {
node {
title
}
}
}
}
errors
}
}
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Eugenia Grieff