Prevent guests from assigning issues from note actions
requested to merge zillemarco/gitlab:zillemarco-hide-assign-when-issue-admin-not-allowed into master
What does this MR do and why?
I noticed that guest users could see the Assign to/Unassign from commenting user
action on the issues notes even if that users can't actually admin the issue (because his guest access).
This MR fixes this problem
Screenshots or screen recordings
Before | After |
---|---|
How to set up and validate locally
- On your local GDK find a user with guest access to a project
- Impersonate that user
- Go to the project where the impersonated user is a guest
- Create a issue (or open an existing one which was created by the same guest)
- Add a comment to that issue
- The action button
Assign to/Unassign from commenting user
should not be visibile anymore - Going back to the same issue impersonating a user with at least report role, that action button should instead be visible
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Alexandru Croitor