Skip to content

GitLab Next

Why GitLab
Pricing
Contact Sales
Explore

Sign in
Get free trial

Add include_parent_milestones to milestones API endpoints

Review changes
Download
Patches
Plain diff

Eugenia Grieff requested to merge 196066-add-milestone-expired-info-be-3 into master Aug 06, 2020

Overview 36
Commits 2
Pipelines 13
Changes 6

What does this MR do?

Related to #196066 (closed)

This is a new approach for implementing this param given that the previous MR was reverted because introduced a regression. In this case, I've opted for using the scope for_projects_and_groups instead of MilestonesFinder.

This change is a requirement for milestones dropdown with expired milestones and addresses the following point in this discussion:

The public API doesn't support fetching milestones for a project and its parent group(s) in one request, unlike the internal API we were already using: !35595 (comment 376337178)

Introduces a new param include_parent_milestones for project milestones API endpoint GET /projects/:id/milestones and group milestones endpoint GET /groups/:id/milestones.

The default value for this param is false and when set to true, the request will additionally fetch group milestones from the parent group and its ancestors.

Examples

With the following structure

Group A
- Subgroup B
  - Project B
  - Subgroup C

If we fetch the list of milestones from Project B with include_parent_milestones set as true, we would get all project milestones from Project B, all group milestones from Subgroup B and all group milestones from Group A, as long as the user have access to these ancestor groups.
If we fetch the list of milestones form Subgroup C with include_parent_milestones set as true, we should get all group milestones from Subgroup C, all group milestones from Subgroup B and all group milestones from Group A (again, given the right access)

Permissions

As the permissions to access parent ancestors differ for projects and groups, we'll observe the following behaviour when the resources have limited visibility:

Non-Member of Private Project

Can not access any milestone.

Member of Private Project when the Project parent is a group with ancestors

projects/:id/milestones?include_parent_milestones=true will return the project's milestones and group milestones from the parent group and its ancestors.

Member of a private subgroup and its ancestors

groups/:id/milestones?include_parent_milestones=true will return all group milestones from the subgroup and its ancestors.

Member of Private Group only, without access to ancestors

groups/:id/milestones?include_parent_milestones=true will return only the subgroup's group milestones.

Screenshots

Does this MR meet the acceptance criteria?

Conformity

Changelog entry
Documentation (if required)
Code review guidelines
Merge request performance guidelines
Style guides
Database guides
Separation of EE specific content

Availability and Testing

Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process.
Tested in all supported browsers
Informed Infrastructure department of a default or new setting change, if applicable per definition of done

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

Label as security and @ mention @gitlab-com/gl-security/appsec
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
Security reports checked/validated by a reviewer from the AppSec team

Edited Aug 19, 2020 by Eugenia Grieff

Merge request reports

Assignee

Reviewers

Request review from

Time tracking