Analytics dashboards - Fix permissions check for direct project member
What does this MR do and why?
This MR fixes a permissions issue in the Analytics dashboards where direct project members could not access dashboard features that they should have permissions for. The issue occurred because the frontend ability checks were being performed against the project group instead of the project itself.
Problem being solved
Direct project members were unable to view analytics dashboard features (DORA metrics, cycle analytics, and security resources) because the permissions were incorrectly checked against the project's group rather than the project. This prevented legitimate project members from accessing analytics data they should be able to view.
Changes made
- Updated
DashboardsControllerto check frontend abilities against theprojectresource instead ofproject.group - Added comprehensive test coverage for direct project members accessing the Value Streams Dashboard
- Created shared examples for licensed project VSD rendering to improve test maintainability
Key Points and Actions
| Area | Details |
|---|---|
| Files Changed |
dashboards_controller.rb, dashboard specs, shared examples |
| Permission Fix | Changed resource from project.group to project for ability checks |
| Test Coverage | Added direct project member test scenario |
| Abilities Fixed |
read_dora4_analytics, read_cycle_analytics, read_security_resource
|
How to set up and validate locally
- Create a project with analytics features enabled (Ultimate license required)
- Add a user as a direct project member (reporter role or higher)
- Sign in as that user and navigate to the project's Value Streams Dashboard
- Verify all dashboard panels are visible and no license upgrade messages appear
- Run the updated feature spec to validate the fix:
bundle exec rspec ee/spec/features/projects/analytics/dashboards_spec.rb
References
Related to #558232 (closed)
Edited by Ezekiel Kigbo