Merge branch...

Merge branch 'security-373-public-group-owners-maintainers-can-not-delete-comments-posted-on-epics' into 'master' Public Group owners/Maintainers can not delete comments posted on epics See merge request gitlab/gitlab-ee!1067

Merge branch...
Merge branch 'security-373-public-group-owners-maintainers-can-not-delete-comments-posted-on-epics' into 'master' Public Group owners/Maintainers can not delete comments posted on epics See merge request gitlab/gitlab-ee!1067
61fedf45 · GitLab Release Tools Bot · 0ece641d · e8b984e6 · 61fedf45 · 61fedf45
Commit 61fedf45 authored Jul 26, 2019 by GitLab Release Tools Bot
4 changed files
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -76,6 +76,7 @@ class GroupPolicy < BasePolicy
  end

  rule { maintainer }.policy do
+    enable :maintainer_access
    enable :create_projects
    enable :admin_pipeline
    enable :admin_build
@@ -87,6 +88,7 @@ class GroupPolicy < BasePolicy
  end

  rule { owner }.policy do
+    enable :owner_access
    enable :admin_group
    enable :admin_namespace
    enable :admin_group_member

--- a/ee/app/policies/epic_policy.rb
+++ b/ee/app/policies/epic_policy.rb
@@ -13,4 +13,6 @@ class EpicPolicy < BasePolicy
  end

  rule { can?(:create_note) }.enable :award_emoji
+
+  rule { can?(:owner_access) | can?(:maintainer_access) }.enable :admin_note
 end
--- a/ee/changelogs/unreleased/security-373-public-group-owners-maintainers-can-not-delete-comments-posted-on-epics.yml
+++ b/ee/changelogs/unreleased/security-373-public-group-owners-maintainers-can-not-delete-comments-posted-on-epics.yml
+---
+title: Grant admin note permissions in epics for maintainers and owners
+merge_request:
+author:
+type: security
--- a/ee/spec/policies/epic_policy_spec.rb
+++ b/ee/spec/policies/epic_policy_spec.rb
@@ -16,6 +16,14 @@ describe EpicPolicy do
    it { is_expected.to be_disallowed(:create_note, :award_emoji) }
  end

+  shared_examples 'can edit epic comments' do
+    it { is_expected.to be_allowed(:admin_note) }
+  end
+
+  shared_examples 'cannot edit epic comments' do
+    it { is_expected.to be_disallowed(:admin_note) }
+  end
+
  shared_examples 'can only read epics' do
    it do
      is_expected.to be_allowed(:read_epic, :read_epic_iid)
@@ -39,6 +47,7 @@ describe EpicPolicy do

      it_behaves_like 'can only read epics'
      it_behaves_like 'can comment on epics'
+      it_behaves_like 'cannot edit epic comments'
    end

    context 'reporter group member' do
@@ -48,6 +57,21 @@ describe EpicPolicy do

      it_behaves_like 'can manage epics'
      it_behaves_like 'can comment on epics'
+      it_behaves_like 'cannot edit epic comments'
+
+      it 'cannot destroy epics' do
+        is_expected.to be_disallowed(:destroy_epic)
+      end
+    end
+
+    context 'group maintainer' do
+      before do
+        group.add_maintainer(user)
+      end
+
+      it_behaves_like 'can manage epics'
+      it_behaves_like 'can comment on epics'
+      it_behaves_like 'can edit epic comments'

      it 'cannot destroy epics' do
        is_expected.to be_disallowed(:destroy_epic)
@@ -61,6 +85,7 @@ describe EpicPolicy do

      it_behaves_like 'can manage epics'
      it_behaves_like 'can comment on epics'
+      it_behaves_like 'can edit epic comments'

      it 'can destroy epics' do
        is_expected.to be_allowed(:destroy_epic)