Merge branch 'issue_213067' into 'master'

Add confidentiality checks to epics policy

See merge request gitlab-org/gitlab!29190

app/policies/group_policy.rb

@@ -91,6 +91,7 @@ class GroupPolicy < BasePolicy
   end
 
   rule { reporter }.policy do
+    enable :reporter_access
     enable :read_container_image
     enable :download_wiki_code
     enable :admin_label

ee/app/policies/epic_policy.rb

 # frozen_string_literal: true
 
 class EpicPolicy < BasePolicy
+  include CrudPolicyHelpers
+
   delegate { @subject.group }
 
+  desc 'Epic is confidential'
+  condition(:confidential, scope: :subject) do
+    @subject.confidential?
+  end
+
   rule { can?(:read_epic) }.policy do
     enable :read_epic_iid
     enable :read_note
@@ -15,4 +22,13 @@ class EpicPolicy < BasePolicy
   rule { can?(:create_note) }.enable :award_emoji
 
   rule { can?(:owner_access) | can?(:maintainer_access) }.enable :admin_note
+
+  desc 'User cannot read confidential epics'
+  rule { confidential & ~can?(:reporter_access) }.policy do
+    prevent(*create_read_update_admin_destroy(:epic))
+    prevent :read_epic_iid
+    prevent :create_note
+    prevent :award_emoji
+    prevent :read_note
+  end
 end

ee/spec/policies/epic_policy_spec.rb

@@ -28,17 +28,21 @@ describe EpicPolicy do
 
   shared_examples 'can only read epics' do
     it do
-      is_expected.to be_allowed(:read_epic, :read_epic_iid)
+      is_expected.to be_allowed(:read_epic, :read_epic_iid, :read_note)
       is_expected.to be_disallowed(:update_epic, :destroy_epic, :admin_epic, :create_epic)
     end
   end
 
   shared_examples 'can manage epics' do
-    it { is_expected.to be_allowed(:read_epic, :read_epic_iid, :update_epic, :admin_epic, :create_epic) }
+    it { is_expected.to be_allowed(:read_epic, :read_epic_iid, :read_note, :update_epic, :admin_epic, :create_epic) }
   end
 
   shared_examples 'all epic permissions disabled' do
-    it { is_expected.to be_disallowed(:read_epic, :read_epic_iid, :update_epic, :destroy_epic, :admin_epic, :create_epic, :create_note, :award_emoji) }
+    it { is_expected.to be_disallowed(:read_epic, :read_epic_iid, :update_epic, :destroy_epic, :admin_epic, :create_epic, :create_note, :award_emoji, :read_note) }
+  end
+
+  shared_examples 'all reporter epic permissions enabled' do
+    it { is_expected.to be_allowed(:read_epic, :read_epic_iid, :update_epic, :admin_epic, :create_epic, :create_note, :award_emoji, :read_note) }
   end
 
   shared_examples 'group member permissions' do
@@ -177,5 +181,50 @@ describe EpicPolicy do
 
       it_behaves_like 'all epic permissions disabled'
     end
+
+    context 'when epic is confidential' do
+      let_it_be(:group) { create(:group) }
+      let_it_be(:epic) { create(:epic, group: group, confidential: true) }
+
+      context 'when user is not reporter' do
+        before do
+          group.add_guest(user)
+        end
+
+        it_behaves_like 'all epic permissions disabled'
+      end
+
+      context 'when user is reporter' do
+        before do
+          group.add_reporter(user)
+        end
+
+        it_behaves_like 'all reporter epic permissions enabled'
+      end
+
+      context 'when user is developer' do
+        before do
+          group.add_developer(user)
+        end
+
+        it_behaves_like 'all reporter epic permissions enabled'
+      end
+
+      context 'when user is maintainer' do
+        before do
+          group.add_maintainer(user)
+        end
+
+        it_behaves_like 'all reporter epic permissions enabled'
+      end
+
+      context 'when user is owner' do
+        before do
+          group.add_owner(user)
+        end
+
+        it_behaves_like 'all reporter epic permissions enabled'
+      end
+    end
   end
 end