Skip to content

Only allow developers or higher to trigger merge_status_recheck

Sincheol (David) Kim requested to merge 393600-restrict-with-merge-status-recheck-access into master

What does this MR do and why?

with_merge_status_recheck is a expensive call so we'd like to restrict it to users with developer role or above.

Related to #393600

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Mark some merge requests of a group you want to test to be in unchecked via Rails console 
    mrs = MergeRequestsFinder.new(user, group_id: 22).execute
mrs.each(&:mark_as_unchecked)
  2. Make an merge_request list API call as a developer+ user with with_merge_status_recheck=true param http://127.0.0.1:3000/api/v4/groups/22/merge_requests?state=opened&with_merge_status_recheck=true
  3. Observe background jobs are enqueued either by looking at the log/sidekiq_client.log or by checking the merge_status of those MRs
  4. Mark them as unchecked once again
  5. Make the same request as a guest user with with_merge_status_recheck=true param http://127.0.0.1:3000/api/v4/groups/22/merge_requests?state=opened&with_merge_status_recheck=true
  6. Observe background jobs are not enqueued

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #393600

Edited by Sincheol (David) Kim

Merge request reports