feat: enable granular PATs for Epics REST endpoints

Duo Developerrequested to merge
duo/feature/583308-enable-granular-pats-epics-rest-endpoints into master

Relates to issue #583308 (closed)

Changes

This MR implements granular Personal Access Token (PAT) permissions for all Epics REST API endpoints, enabling fine-grained access control for epic operations.

Permission Definitions (9 new files)

  • Created 4 permission definitions: read_epic, create_epic, update_epic, delete_epic
  • Created 4 corresponding permission groups for assignable permissions
  • Added feature category metadata for portfolio_management

API Implementation

Modified ee/lib/api/epics.rb to add authorization decorators to all 5 Epic endpoints:

  • GET /groups/:id/epics - requires read_epic permission
  • GET /groups/:id/epics/:epic_iid - requires read_epic permission
  • POST /groups/:id/epics - requires create_epic permission
  • PUT /groups/:id/epics/:epic_iid - requires update_epic permission
  • DELETE /groups/:id/epics/:epic_iid - requires delete_epic permission

All endpoints use group as the boundary type since epics are scoped to groups.

Test Coverage

Enhanced ee/spec/requests/api/epics_spec.rb with 5 new test blocks using the 'authorizing granular token permissions' shared example to verify proper authorization for each endpoint.

Impact

Users can now create Personal Access Tokens with specific epic permissions rather than requiring full API access, improving security and following the principle of least privilege.

Edited by Duo Developer

Merge request reports