Authorize project-level VSA stages
In Projects::Analytics::CycleAnalytics::StagesController
, only show stages that the current user is authorized to see. In the index action, filter out stages that the user is not authorized to see, in the member actions simply return 403 Forbidden
if an unauthorized stage is requested.
This is the first step to move the authorization logic to the backend and get rid of one frontend request. Next step is FE - VSA Exclude stages a user does not have pe... (#335810 - closed).
Solves #367308 (closed).
How to verify
- Activate Value Stream Analytics for a project
- Visit the Value Stream Analytics page for that project (such as
/gitlab-org/gitlab-test/-/value_stream_analytics
). The page will perform requests to theProjects::Analytics::CycleAnalytics::StagesController
actions that changed in this MR (index
,median
,count
, andrecords
) - Any user that can see issues and merge requests on that project should see all stages, including for example
Code
andReview
- Users that cannot see merge requests (e.g. a guest user on a private project) should not see the
Code
andReview
stages
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #367308 (closed)
Edited by Magdalena Frankiewicz