Fix 403 errors interacting CI/CD variables via REST API

Ian Andersonrequested to merge
502896-fix-api-authorization-for-cicd-variables into master

What does this MR do and why?

Related to #502896 (closed)

Fix 403 errors when setting CI/CD variables via REST API

This MR updates the API authorization logic for the CI/CDsettings of projects and groups. Previously, we were only checking a user was able to admin the group or project and authorization would fail if they were assigned a custom role with the admin_cicd_variables permission.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Create a user in an ultimate project or group with a custom role with developer base access and the Admin cicd variables custom permission.
  2. Generate a personal access token for the user with API access.
  3. Ensure that API requests to interact with CI/CD variables are successful. 
    curl --header "PRIVATE-TOKEN: $TEST_TOKEN" -X POST 'https://gdk.test:3443/api/v4/projects/23/variables?key=testvar2&value=123456'
curl --header "PRIVATE-TOKEN: $TEST_TOKEN" 'https://gdk.test:3443/api/v4/projects/23/variables'

Merge request reports