Make requirements persmissions same as issues
What does this MR do and why?
Existing Issue Behavior
A user who created an issue retains the ability to edit it even if their role is later downgraded to Guest.
Existing Requirements Behavior
A vulnerability was identified where a downgraded Guest could still edit requirements via indirect means, which was not intended.
MR Change
This change allows Guests who are also the authors of the requirements to retain the ability to edit those requirements, just as they would with issues they authored. We are promoting consistency across issues and requirements behavior, while also addressing the vulnerability by tightening the checks around these permissions. This is a deliberate choice to maintain a consistent user experience while also reinforcing security around the permissions model.
The HackerOne report highlights an unwanted ability for Guests to edit, which this MR addresses by applying the correct permissions checks. The permissions for editing are not given to all Guests but are specifically granted to those who originally authored the requirement when they had the appropriate permissions.
Issue: #424961 (closed)
PM Approval on the solution can be found here - #424961 (comment 1822565451)
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
How to set up and validate locally
- Visit http://127.0.0.1:3000/flightjs/Flight/-/project_members and select a user who has
Reporter
role and login. - Visit
Requirements
page http://127.0.0.1:3000/flightjs/Flight/-/requirements_management/requirements - Create a requirement.
- Login as
Admin
and change the above user roleGuest
- Login as the above
User
and visit the requirements page - Now, you should be able to see
Edit
andArchive
icons next to requirements that are authored by the user.