Skip to content

Update permissions for setting parent of an epic using REST api

Eugenia Grieffrequested to merge
397073-epic-relations-non-members-subepics-api into master

Related to #397073 (closed)

What does this MR do and why?

This is a follow-up to !131559 (merged) where we updated permissions to set the parent of an epic at the service level.

This MR covers the permissions in API::EpicLinks so that a user that can set an epic as parent if they can read this epic (previously we required having the Guest role in this epic's group). The requirement for the child epic remains the same, Guest role in this epic's group. This update also applies to removing the parent.

These changes will be included behind the feature flag epic_relations_for_non_members.

There are no UI changes in this MR, controller and UI will be updated with !135427 (merged)

How to set up and validate locally

  1. Create two public groups with an epic each, take note of the Group 1 path, the parent’s iid and the child’s id 
root = User.first
group1 = Group.create!(name: 'Group 1', path: 'test-group1', owner: root)
group2 = Group.create!(name: 'Group 2', path: 'test-group2', owner: root)
parent = Epic.create!(title: 'Parent Epic', author: root, group: group2)
child = Epic.create!(title: 'Child Epic', author: root, group: group1)
  1. Add a Guest user to 'Group 1'
guest = User.last
group1.add_member(User.last, :guest)
  1. Log in as the guest user, visit http://127.0.0.1:3000/-/profile/personal_access_tokens and create an access token with the api option selected.
  2. Make a request to set the parent of the epic and verify that it fails with a 403 response
export GITLAB_PAT=<your_api_token>
curl -X POST -H "Authorization: Bearer $GITLAB_PAT" http://127.0.0.1:3000/api/v4/groups/test-group2/epics/<parent_iid>/epics/<child_id>

#=> {"message":"403 Forbidden"}
  1. Enable the feature flag Feature.enable(:epic_relations_for_non_members) and try the request again. Verify that it's successful and that the parent was set.
  2. Make a request to remove the parent and verify that it’s successful
curl -X DELETE -H "Authorization: Bearer $GITLAB_PAT" http://127.0.0.1:3000/api/v4/groups/test-group2/epics/<parent_iid>/epics/<child_id>

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Eugenia Grieff

Merge request reports