Update permissions to set parent of an epic with quick actions
Related to #397073
What does this MR do and why?
This is a follow-up to !131559 (merged) where we updated permissions to set the parent of an epic at the service level.
This MR covers the quick action permissions so that a non-member can set the parent of an epic as long as they can read the parent and have Guest role in the child epic's group. This update also applies to removing the parent.
Currently, a user needs to have a guest role in both the child and the parent epic groups but with this change (behind FF epic_relations_for_non_members) we'll ease the requirements as follows:
- The user has to be a guest member of the child epic's group (no change)
- The user has to be able to read the parent epic, which requires the following type of access:
- Guest role - if the group is private
- Reporter role - if the epic is confidential
- Signed-in user with no membership - if the group is public
Screenshots or screen recordings
Setting parent and child epics using quick actions and the following conditions:
- The
epic_relations_for_non_membersfeature flag is enabled - The user has Guest role for
Child 1 - The user is not a member of
Parent 2's group and this group is public
| Add and remove child epic | Set and remove parent epic |
|---|---|
| add_child_epic | set_parent_epic |
How to set up and validate locally
- Create two public groups with an epic each
root = User.first
group1 = Group.create!(name: 'Group 1', path: 'test-group1', owner: root)
group2 = Group.create!(name: 'Group 2', path: 'test-group2', owner: root)
parent = Epic.create!(title: 'Parent Epic', author: root, group: group2)
child = Epic.create!(title: 'Child Epic', author: root, group: group1)- Add a Guest user to 'Group 1'
guest = User.last
group1.add_member(User.last, :guest)- Make sure the feature flag is disabled
Feature.disable(:epic_relations_for_non_members)and login as the guest user - Visit the
Child 1epic and try to setParent 2as the parent using the quick action in a comment:
/parent_epic <url_to_parent_2>Verify that it returns an error (due to user not having guest role for Parent 2):
You don't have sufficient permission to perform this action.
- Visit the
Parent 2epic and try to addChild 1as a child epic:
/child_epic <url_to_child_1>This quick action should not be available because the user doesn’t have a guest role in Parent 2. If we enter the command anyway it should display an error: Could not apply child_epic command.
6. Enable the feature flag with Feature.enable(:epic_relations_for_non_members)
7. Repeat step 4 and verify that it sets the parent and returns a successful message Set test-group2&2 as the parent epic. (reloading the page should display the parent under the Ancestors section of the sidebar)
8. Verify that the parent can be removed using the quick action /remove_parent_epic
9. Visit Parent 2 and repeat step 5, this time the command should be available and adding the child should succeed with message Added test-group1&1 as a child epic. (reloading the page should display the child under the Child issues and epics widget)
10. Verify that the child can be removed using the quick action
/remove_child_epic <url_to_child_1>MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.