Authorize project-level VSA stages (!92802) · Merge requests · GitLab.org / GitLab

Magdalena Frankiewicz requested to merge 367308-authorize--project-vsa-stages into master Jul 19, 2022

In Projects::Analytics::CycleAnalytics::StagesController, only show stages that the current user is authorized to see. In the index action, filter out stages that the user is not authorized to see, in the member actions simply return 403 Forbidden if an unauthorized stage is requested.

This is the first step to move the authorization logic to the backend and get rid of one frontend request. Next step is FE - VSA Exclude stages a user does not have pe... (#335810 - closed).

Solves #367308 (closed).

How to verify

Activate Value Stream Analytics for a project
Visit the Value Stream Analytics page for that project (such as /gitlab-org/gitlab-test/-/value_stream_analytics). The page will perform requests to the Projects::Analytics::CycleAnalytics::StagesController actions that changed in this MR (index, median, count, and records)
Any user that can see issues and merge requests on that project should see all stages, including for example Code and Review
Users that cannot see merge requests (e.g. a guest user on a private project) should not see the Code and Review stages

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #367308 (closed)

Edited Jul 21, 2022 by Magdalena Frankiewicz

Authorize project-level VSA stages

How to verify

MR acceptance checklist

Merge request reports