Restrict issues settings page access to maintainers+ only
What does this MR do and why?
This MR restricts the issues settings page (where configurable statuses and custom fields can be managed) at the root-group level to users with maintainer or higher permissions by fixing incorrect permission checks.
The changes replace the admin_work_item permission with the appropriate admin_work_item_lifecycle permission for work item statuses, while ensuring proper feature availability checks are paired with corresponding permission checks.
The authorization logic has been refactored in both the controller and sidebar menu to consistently apply these permission requirements across the application.
References
Screenshots or screen recordings
| Maintainer | Less than maintainer |
|---|---|
 |
 |
How to set up and validate locally
- Access the root group settings page (for example, http://127.0.0.1:3000/groups/gitlab/-/settings/issues) using a maintainer+ role. The settings page should be accessible.
- Access the root group settings page using a role lower than maintainer. The page should return a 404 Page Not Found error.
- Verify that the issues menu item in the sidebar menu is accessible at root-group level to maintainer+ users.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.