From 6b9d636372dd8971a56f2b7e808dca2241cfdcbe Mon Sep 17 00:00:00 2001
From: Sean Arnold <sarnold@gitlab.com>
Date: Mon, 13 Jun 2022 17:52:09 +1200
Subject: [PATCH 1/2] Simplify issue policy, allow bots metadata access

Fixes an issue where the alert bot would not be able to
use quick actions when creating an incident from an alert.

Changelog: fixed
---
 app/policies/issue_policy.rb                | 13 ++-----------
 spec/policies/issue_policy_spec.rb          | 12 ++++++++++++
 spec/services/issues/create_service_spec.rb | 17 +++++++++++++++++
 3 files changed, 31 insertions(+), 11 deletions(-)

diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index 2b6dcc56fa07e301..b033c61ff8ac1789 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -57,13 +57,8 @@ class IssuePolicy < IssuablePolicy
     enable :update_subscription
   end
 
-  # admin can set metadata on new issues
-  rule { ~persisted & admin }.policy do
-    enable :set_issue_metadata
-  end
-
-  # support bot needs to be able to set metadata on new issues when service desk is enabled
-  rule { ~persisted & support_bot & can?(:guest_access) }.policy do
+  # admin can set metadata on issues
+  rule { can?(:admin_issue) }.policy do
     enable :set_issue_metadata
   end
 
@@ -72,10 +67,6 @@ class IssuePolicy < IssuablePolicy
     enable :set_issue_metadata
   end
 
-  rule { persisted & can?(:admin_issue) }.policy do
-    enable :set_issue_metadata
-  end
-
   rule { can?(:set_issue_metadata) }.policy do
     enable :set_confidentiality
   end
diff --git a/spec/policies/issue_policy_spec.rb b/spec/policies/issue_policy_spec.rb
index 557bda985afc2804..fefbb59a83007903 100644
--- a/spec/policies/issue_policy_spec.rb
+++ b/spec/policies/issue_policy_spec.rb
@@ -13,6 +13,7 @@
   let(:reporter_from_group_link) { create(:user) }
   let(:non_member) { create(:user) }
   let(:support_bot) { User.support_bot }
+  let(:alert_bot) { User.alert_bot }
 
   def permissions(user, issue)
     described_class.new(user, issue)
@@ -41,6 +42,14 @@ def permissions(user, issue)
     end
   end
 
+  shared_examples 'alert bot' do
+    it 'allows alert_bot to read and set metadata on issues' do
+      expect(permissions(alert_bot, issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
+      expect(permissions(alert_bot, issue_no_assignee)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
+      expect(permissions(alert_bot, new_issue)).to be_allowed(:read_issue, :read_issue_iid, :update_issue, :admin_issue, :set_issue_metadata, :set_confidentiality)
+    end
+  end
+
   context 'a private project' do
     let(:project) { create(:project, :private) }
     let(:issue) { create(:issue, project: project, assignees: [assignee], author: author) }
@@ -106,6 +115,7 @@ def permissions(user, issue)
       expect(permissions(non_member, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata, :set_confidentiality)
     end
 
+    it_behaves_like 'alert bot'
     it_behaves_like 'support bot with service desk disabled'
     it_behaves_like 'support bot with service desk enabled'
 
@@ -270,6 +280,7 @@ def permissions(user, issue)
       expect(permissions(support_bot, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata, :set_confidentiality)
     end
 
+    it_behaves_like 'alert bot'
     it_behaves_like 'support bot with service desk enabled'
 
     context 'when issues are private' do
@@ -326,6 +337,7 @@ def permissions(user, issue)
         expect(permissions(non_member, new_issue)).to be_disallowed(:create_issue, :set_issue_metadata, :set_confidentiality)
       end
 
+      it_behaves_like 'alert bot'
       it_behaves_like 'support bot with service desk disabled'
       it_behaves_like 'support bot with service desk enabled'
     end
diff --git a/spec/services/issues/create_service_spec.rb b/spec/services/issues/create_service_spec.rb
index 5c1544d8ebcf361f..914b3d3b8673b43b 100644
--- a/spec/services/issues/create_service_spec.rb
+++ b/spec/services/issues/create_service_spec.rb
@@ -489,6 +489,23 @@
           end
         end
       end
+
+      context 'with alert bot author' do
+        let_it_be(:user) { User.alert_bot }
+        let_it_be(:label) { create(:label, project: project) }
+
+        let(:opts) do
+          {
+            title: 'Title',
+            description: %(/label #{label.to_reference(format: :name)}")
+          }
+        end
+
+        it 'can apply labels' do
+          expect(issue).to be_persisted
+          expect(issue.labels).to eq([label])
+        end
+      end
     end
 
     context 'resolving discussions' do
-- 
GitLab


From 7e15bc54a62531fe18a2247fbf7aa1f9dcbc9b8c Mon Sep 17 00:00:00 2001
From: Sean Arnold <sarnold@gitlab.com>
Date: Fri, 17 Jun 2022 10:37:27 +1200
Subject: [PATCH 2/2] Remove comment for set issue metadata

---
 app/policies/issue_policy.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index b033c61ff8ac1789..0a0a35d41ccc83d0 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -57,7 +57,6 @@ class IssuePolicy < IssuablePolicy
     enable :update_subscription
   end
 
-  # admin can set metadata on issues
   rule { can?(:admin_issue) }.policy do
     enable :set_issue_metadata
   end
-- 
GitLab