Add new static role Planner

What does this MR do and why?

This MR adds a new static user role called Planner which includes all Product Manager abilities. See #482733 (closed) for more details.

This new role has access to all the Guest role's permissions plus some of the abilities in higher levels that are required for managing product planning features (see permission requirements in &15645 (closed)). Outside Plan features, we'll only see changes in merge requests, where access will be granted as follows:

• In a public project:
  • Merge Requests are public: Planner users have the same access as a Guest user, meaning they can read the MRs and add comments but not update the MR or push code. The only difference with Guest access is that Planners can add internal comments.
  • Merge Requests are private: No access to the project's MR (same as Guest)
• In a public project: In this case, a Guest user doesn't have access to read the MR but the Planner does (same access as described above)

To note

Although the Planner role includes all policies allowed for the Guest role, we can't consider permissions to be linear anymore because the Reporter role doesn't inherit from the Planner role. The following tables outline the differences with the Reporter, Developer and Maintainer roles

Group Permissions

Permissions that are allowed for Planners but forbidden for Reporters:
Create/edit/delete group wiki pages

Permissions that are allowed for Planners but forbidden for Reporters, Developers and Maintainers
Delete group epic

Project Permissions

Permissions that are allowed for Planners but forbidden for Reporters:
Upload/archive Design Management files
Create/edit/delete wiki pages

Permissions that are allowed for Planners and forbidden for Reporters, Developers and Maintainers
Delete work items (these include issues and tasks)

What is included in this MR

The changes included in this MR consist of:

• Populate role in drop-downs for invite and membership pages
• Display role as pills on component views
• Define methods in Group and Project models that allow fetching and adding members with the Planner role
• Add group and project policies (based on the permission table outlined in &15645 (closed))
• Add issuable policies (based on the permission table outlined in &15645 (closed))
• Update specs that have references to access levels

What is NOT included in this MR

1. Documentation [will be added in !171283 (merged)]
2. Add the Planner role to the User Statistics admin page [will be added in !170949 (merged)]
3. Add the Planner options to GraphQL enums Types::AccessLevelEnum and Types::GitlabSubscriptions::UserRoleEnum [will be added in !170940 (merged)]
4. Update UI text that references Reporter as the minimum role required for visibility [will be updated in !171950 (merged)]
5. Extensive test coverage [specs not failing in this MR that need to include the new role to improve specs coverage [will be added in !171130 (closed)]

FAQ

• Could we use a feature flag? This is, unfortunately, not possible since the roles are defined at boot time (as class-level methods), and feature flags cannot be used there. See https://gitlab.com/gitlab-org/gitlab/-/issues/461064#note_2042737725
• Could the MR be broken down into several MRs? Given that the role will not be hidden, it will have to include all abilities from the let-go. I discussed with Product the option of releasing the role matching the Guest role permissions (and incrementally adding the additional abilities), but it was deemed not ideal. The main bulk of changes are in specs, so it should be somewhat easier to parse.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Actions	Scheenshot/Screen recording
Invite a user with the Planner role to a Group or Project Change the role of an existing member to Planner	Screen_Recording_2024-10-24_at_14.15.45
A Planner user adds a comment
An admin user views the Planner role in the Admin/Roles and permissions page

How to set up and validate locally

1. With an admin user create a private group 'Test Group' with a project 'Test Project'
2. Register a new user or create one using Rails console

FactoryBot.create(:user, username: 'planner', name: 'Planner', password: 'pass12345')

3. Invite the new user to the group and the projects using the Planner role
4. Login with the planner user and verify following actions are permitted

• Milestones
  • Create/edit/close/reopen group and project milestones ( http://gdk-test:3000/groups/test-group/-/milestones/new, http://gdk-test:3000/test-group/test-project/-/milestones/new)
• Labels
  • Create/edit/delete group and project labels (http://gdk-test/groups/test-group/-/labels/new, http://gdk.test:3000/test-group/test-project/-/labels)
• Contacts (http://gdk.test:3000/groups/test-group/-/crm/contacts)
  • Can read contacts
  • Can read organizations
• Issues
  • Create an issue in the project (http://gdk.test:3000/test-group/test-project/-/issues/new)
  • Edit all fields
  • Toggle confidentiality
  • Add a todo
  • Subscribe to the issue
  • Add comments (including internal comments)
  • Promote to epic
  • Lock/unlock discussions
  • Add/delete time tracking
  • Add new tasks as children and remove children
  • Add/remove linked items
  • Close /reopen Issue
  • Move issue to 'Test Project 2'
  • Create confidential issue
  • Add/edit/delete design
  • Assign a contract using /add_contact quick action
  • Delete issue
  • Add/edit/delete tasks
• Work Items at project level (http://gdk.test:3000/test-group/test-project/-/work_items/new)
  • Same as Issues
• Objectives and Key Results (http://gdk.test:3000/test-group/test-project/-/work_items/new)
  • Same as Issues (requires FF Feature.enable(:okrs_mvc))
• Epics
  • Create an epic in the group (http://gdk.test:3000/groups/test-group/-/epics/new)
  • Edit all fields
  • Toggle confidentiality
  • Add a todo
  • Subscribe to the epic
  • Add comments (including internal comments)
  • Add/delete time tracking
  • Close /reopen epic
  • Add new issues/epics as children and remove children
  • Add/remove linked items
  • Can edit authored comments
  • Delete epic
• Merge Requests
  • Private project
    • MRs are not visible, this will be implemented in a follow-up
  • Public project
  • view list of MRs
  • view single MR
  • comment in an MR (including internal comments, this is the only difference vs a Guest)
  • add a todo
  • subscribe for notifications
  • view code and download it as a patch or plain diff
  • comment on files and diffs
  • trigger a new pipeline
  • Private project
    • Same as permissions in a public project
• Snippets
  • Can read existing snippets list (http://gdk.test:3000/test-group/test-project/-/snippets)
  • Can view and comment on a single snippet
• Test Cases
  • Can read/edit/archive/reopen/create test cases (including confidential test cases)
• Requirements
  • Can view requirements list (http://gdk.test:3000/test-groupp/test-project/-/requirements_management/requirements)
  • Can read/edit/archive/reopen/create requirements
• Create/edit/delete issue boards (http://gdk.test:3000/test-group/test-project/-/boards)
• Create/edit/delete epic boards (http://gdk.test:3000/groups/test-group/-/epic_boards)
• Wiki pages
  • Can create/edit/delete templates (http://gdk.test:3000/groups/test-group/-/wikis/templates)
  • Can create/edit/delete pages (http://gdk.test:3000/groups/test-group/-/wikis/home)
• Iterations
  • Create/edit/delete iteration candence (http://gdk.test:3000/groups/test-group/-/cadences/)
  • Assign iteration to an issue
  • Edit iteration
  • View iteration's issues