Remove per-source permission checks from participants

Agnes Slotarequested to merge
577825/aslota-remove-permissions-check-for-participants into master

What does this MR do and why?

This MR removes expensive per-source permission checks from participant calculation that were causing performance issues for issues and MRs with many notes.

All users now see the same participant list, providing consistent behaviour across different permission levels.

Details

  • This MR reverts changes from !74906 (merged), !76764 (merged) and !76951 (merged).
  • The AppSec team approved removing the permission checks.
  • This MR removes the per-source permission checks for participants, but as suggested by @engwan here, we should also consider removing the remaining per-participant ability checks for further performance improvements. Here's a separate issue to handle that: #582001 (closed).

References

Screenshots or screen recordings

Before Before After
Non-member user Screenshot_2025-11-24_at_11.13.50_am Screenshot_2025-11-24_at_11.02.53_am
Member user Screenshot_2025-11-24_at_11.01.04_am Screenshot_2025-11-24_at_11.01.04_am

How to set up and validate locally

  1. Create one public project and one private project.
  2. As a non-member user, create an issue in the public project.
  3. As a member user, create an issue in the private project and add a comment that includes a link to the public issue.
  4. Visit the public issue as a non-member user; the participant list should show 2 participants, including the comment author from the private issue.
  5. Visit the public issue as a member user; the participant list should also show 2 participants.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Agnes Slota

Merge request reports