Merge branch 'issue_32364' into 'master'

Fix permissions for group milestones

See merge request gitlab-org/gitlab!17783

app/policies/group_policy.rb

@@ -44,25 +44,25 @@ class GroupPolicy < BasePolicy
 
   rule { public_group }.policy do
     enable :read_group
-    enable :read_list
-    enable :read_label
   end
 
   rule { logged_in_viewable }.enable :read_group
 
   rule { guest }.policy do
     enable :read_group
-    enable :read_list
     enable :upload_file
-    enable :read_label
   end
 
   rule { admin }.enable :read_group
 
   rule { has_projects }.policy do
+    enable :read_group
+  end
+
+  rule { can?(:read_group) }.policy do
+    enable :read_milestone
     enable :read_list
     enable :read_label
-    enable :read_group
   end
 
   rule { has_access }.enable :read_namespace

app/policies/milestone_policy.rb

 # frozen_string_literal: true
 
 class MilestonePolicy < BasePolicy
-  delegate { @subject.project }
+  delegate { @subject.parent }
 end

changelogs/unreleased/issue_32364.yml

+---
+title: Fix permissions for group milestones
+merge_request:
+author:
+type: fixed

spec/policies/group_policy_spec.rb

@@ -9,6 +9,7 @@ describe GroupPolicy do
 
     it do
       expect_allowed(:read_group)
+      expect_allowed(*read_group_permissions)
       expect_disallowed(:upload_file)
       expect_disallowed(*reporter_permissions)
       expect_disallowed(*developer_permissions)
@@ -27,6 +28,7 @@ describe GroupPolicy do
     end
 
     it { expect_disallowed(:read_group) }
+    it { expect_disallowed(*read_group_permissions) }
   end
 
   context 'with foreign user and public project' do
@@ -39,6 +41,7 @@ describe GroupPolicy do
     end
 
     it { expect_disallowed(:read_group) }
+    it { expect_disallowed(*read_group_permissions) }
   end
 
   context 'has projects' do
@@ -49,13 +52,13 @@ describe GroupPolicy do
       project.add_developer(current_user)
     end
 
-    it { expect_allowed(:read_label, :read_list) }
+    it { expect_allowed(*read_group_permissions) }
 
     context 'in subgroups' do
       let(:subgroup) { create(:group, :private, parent: group) }
       let(:project) { create(:project, namespace: subgroup) }
 
-      it { expect_allowed(:read_label, :read_list) }
+      it { expect_allowed(*read_group_permissions) }
     end
   end
 
@@ -63,6 +66,7 @@ describe GroupPolicy do
     let(:current_user) { guest }
 
     it do
+      expect_allowed(*read_group_permissions)
       expect_allowed(*guest_permissions)
       expect_disallowed(*reporter_permissions)
       expect_disallowed(*developer_permissions)
@@ -75,6 +79,7 @@ describe GroupPolicy do
     let(:current_user) { reporter }
 
     it do
+      expect_allowed(*read_group_permissions)
       expect_allowed(*guest_permissions)
       expect_allowed(*reporter_permissions)
       expect_disallowed(*developer_permissions)
@@ -87,6 +92,7 @@ describe GroupPolicy do
     let(:current_user) { developer }
 
     it do
+      expect_allowed(*read_group_permissions)
       expect_allowed(*guest_permissions)
       expect_allowed(*reporter_permissions)
       expect_allowed(*developer_permissions)
@@ -110,6 +116,7 @@ describe GroupPolicy do
         updated_owner_permissions =
           owner_permissions - create_subgroup_permission
 
+        expect_allowed(*read_group_permissions)
         expect_allowed(*guest_permissions)
         expect_allowed(*reporter_permissions)
         expect_allowed(*developer_permissions)
@@ -120,6 +127,7 @@ describe GroupPolicy do
 
     context 'with subgroup_creation_level set to owner' do
       it 'allows every maintainer permission' do
+        expect_allowed(*read_group_permissions)
         expect_allowed(*guest_permissions)
         expect_allowed(*reporter_permissions)
         expect_allowed(*developer_permissions)
@@ -133,6 +141,7 @@ describe GroupPolicy do
     let(:current_user) { owner }
 
     it do
+      expect_allowed(*read_group_permissions)
       expect_allowed(*guest_permissions)
       expect_allowed(*reporter_permissions)
       expect_allowed(*developer_permissions)
@@ -145,6 +154,7 @@ describe GroupPolicy do
     let(:current_user) { admin }
 
     it do
+      expect_allowed(*read_group_permissions)
       expect_allowed(*guest_permissions)
       expect_allowed(*reporter_permissions)
       expect_allowed(*developer_permissions)
@@ -176,6 +186,7 @@ describe GroupPolicy do
       let(:current_user) { nil }
 
       it do
+        expect_disallowed(*read_group_permissions)
         expect_disallowed(*guest_permissions)
         expect_disallowed(*reporter_permissions)
         expect_disallowed(*developer_permissions)
@@ -188,6 +199,7 @@ describe GroupPolicy do
       let(:current_user) { guest }
 
       it do
+        expect_allowed(*read_group_permissions)
         expect_allowed(*guest_permissions)
         expect_disallowed(*reporter_permissions)
         expect_disallowed(*developer_permissions)
@@ -200,6 +212,7 @@ describe GroupPolicy do
       let(:current_user) { reporter }
 
       it do
+        expect_allowed(*read_group_permissions)
         expect_allowed(*guest_permissions)
         expect_allowed(*reporter_permissions)
         expect_disallowed(*developer_permissions)
@@ -212,6 +225,7 @@ describe GroupPolicy do
       let(:current_user) { developer }
 
       it do
+        expect_allowed(*read_group_permissions)
         expect_allowed(*guest_permissions)
         expect_allowed(*reporter_permissions)
         expect_allowed(*developer_permissions)
@@ -224,6 +238,7 @@ describe GroupPolicy do
       let(:current_user) { maintainer }
 
       it do
+        expect_allowed(*read_group_permissions)
         expect_allowed(*guest_permissions)
         expect_allowed(*reporter_permissions)
         expect_allowed(*developer_permissions)
@@ -236,6 +251,7 @@ describe GroupPolicy do
       let(:current_user) { owner }
 
       it do
+        expect_allowed(*read_group_permissions)
         expect_allowed(*guest_permissions)
         expect_allowed(*reporter_permissions)
         expect_allowed(*developer_permissions)

spec/support/shared_contexts/policies/group_policy_shared_context.rb

@@ -16,6 +16,7 @@ RSpec.shared_context 'GroupPolicy context' do
       read_group_merge_requests
    ]
   end
+  let(:read_group_permissions) { %i[read_label read_list read_milestone] }
   let(:reporter_permissions) { %i[admin_label read_container_image] }
   let(:developer_permissions) { [:admin_milestone] }
   let(:maintainer_permissions) do