Change permissions to set epic of an issue

Review changes
Open in Workspace
Download
Patches
Plain diff

208425-user-without-parent-group-permission-cannot-assign-epic-to-issue into master Jul 26, 2021

Overview 17
Commits 7
Pipelines 8
Changes 17

What does this MR do?

To be able to assign an issue to its project's parent group epic, like discussed in #208425 (closed), we need to modify the permissions check as follows:

From

The user has the ability to admin_epic

To

The user has the ability to admin_issue (IOWm at least a reporter role in the project)
The user has the ability to read_epic (IOW, at least a guest role in the group as well as having the epics feature enabled for the group)

This MR changes permission checks in:

Issue#can_assign_epic?
Mutations::Issues::SetEpic#authorize_read_rights!
EE::Issues::BaseService#epic_param
EpicIssues::CreateService#linkable_issuables
EpicIssues::DestroyService#permission_to_remove_relation?
API::EpicIssues
- PUT :id/(-/)epics/:epic_iid/issues/:epic_issue_id
- POST :id/(-/)epics/:epic_iid/issues/:issue_id
- DELETE :id/(-/)epics/:epic_iid/issues/:epic_issue_id

Does this MR meet the acceptance criteria?

Conformity

I have included changelog trailers, or none are needed. (Does this MR need a changelog?)
I have added/updated documentation, or it's not needed. (Is documentation required?)
I have properly separated EE content from FOSS, or this MR is FOSS only. (Where should EE code go?)
I have added information for database reviewers in the MR description, or it's not needed. (Does this MR have database related changes?)
I have self-reviewed this MR per code review guidelines.
This MR does not harm performance, or I have asked a reviewer to help assess the performance impact. (Merge request performance guidelines)
I have followed the style guides.
This change is backwards compatible across updates, or this does not apply.

Availability and Testing

I have added/updated tests following the Testing Guide, or it's not needed. (Consider all test levels. See the Test Planning Process.)
I have tested this MR in all supported browsers, or it's not needed.
I have informed the Infrastructure department of a default or new setting change per definition of done, or it's not needed.

Related to #208425 (closed)

Edited Nov 05, 2021 by Eugenia Grieff

Merge request reports

Assignee Loading

Reviewers Loading

Request review from

Loading

Time tracking Loading

Loading