Adds write policy for Model experiments

Eduardo Bonetrequested to merge
model-experiments-write-permission into master

What does this MR do and why?

Adds write policy for Model experiments

Model experiments now requires at least user access to the repository to be able to modify or delete experiments and candidates. If a user does not have permission, we will return a 404.

Note: we still show the button to delete even if the user doe snot have authorization. This MR does not change the frontend, that will be a followup

How to set up and validate locally

  1. Enable the feature flag

    echo "Feature.enable(:ml_experiment_tracking)" | bundle exec rails c

  2. Create some data

    user_id = 1 # if you are using root
project_id = 1 # not necessarily 1, but the project you are using for testing. On a pristine gdk installation, project 1 is usually `toolbox/gitlab-smoke-tests`
exp = Ml::Experiment.create!(name: 'Gitlab Experiment', user_id: user_id, project_id: project_id)
c = exp.candidates.create!(user_id: user_id, start_time: 0, internal_id: 1, project_id: project_id)

  3. As an anonymous user:

    • Navigate to Model experiments (under Analyze in the menu bar, or your/project/-/ml/experiments)
    • Click on the create experiment, and then on the candidate
    • On the overflow menu, click on 'Delete experiment' image
    • verify that it returned 404. Navigate back to the experiment page and verify that the candidate was not deleted.
    • Same can be repeated for the experiment anonymous_flow.mov

  4. Perform the same as a member of the project with at least report access. You should be able to delete both candidate and experiment. authorized_flow.mov

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #417374 (closed)

Edited by Eduardo Bonet

Merge request reports