Split work items rest API feature flag into seperate flags for listing page

Matt D'Angelorequested to merge
601595-investigate-splitting-work_item_rest_api-into-seperate-feature-flags into master

What does this MR do and why?

  • Splits the work_item_rest_api feature flag into 2 seperate flags. One which alone can enable the listing query, and the original work_item_rest_api feature flag, which enables all of the new endpoints.
  • The purpose of the additional flag is to allow the rollout of the listing query on the REST API globally while the other endpoints are in progress

References

Screenshots or screen recordings

Not provided

How to set up and validate locally

  1. Verify index endpoint works with only work_item_rest_api_index enabled
  • Enable the work_item_rest_api_index feature flag
  • Disable the work_item_rest_api feature flag
curl --header "PRIVATE-TOKEN: <your_token>" \
  "http://127.0.0.1:3000/api/v4/groups/<group_id>/work_items"

Expected: 200 OK with a list of work items.

  1. Verify create/show/update endpoints are still blocked with only work_item_rest_api_index enabled
# Show
curl --header "PRIVATE-TOKEN: <your_token>" \
  "http://127.0.0.1:3000/api/v4/groups/<group_id>/work_items/<iid>"

# Create
curl --request POST --header "PRIVATE-TOKEN: <your_token>" \
  --header "Content-Type: application/json" \
  --data '{"title":"Test","work_item_type_name":"task"}' \
  "http://127.0.0.1:3000/api/v4/groups/<group_id>/work_items"

# Update
curl --request PATCH --header "PRIVATE-TOKEN: <your_token>" \
  --header "Content-Type: application/json" \
  --data '{"title":"Updated title"}' \
  "http://127.0.0.1:3000/api/v4/groups/<group_id>/work_items/<iid>"

Expected: all three return 403 Forbidden.

  1. Verify all endpoints work when only work_item_rest_api is enabled
  • Enable the work_item_rest_api feature flag
  • Disable the work_item_rest_api_index feature flag

Re-run all four requests above. Expected: all return success responses.

4. Verify all endpoints are blocked when both flags are disabled

  • Disable the work_item_rest_api feature flag
  • Disable the work_item_rest_api_index feature flag

Re-run all four requests. Expected: all return 403 Forbidden with the message work_item_rest_api_index and work_item_rest_api feature flags are both disabled for this user.

You can swap groups for projects in the URLs to verify the same behaviour on project-level work items.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #601595 (closed)

Edited by Matt D'Angelo

Merge request reports