Fix 403 errors when adding an assignee list in project boards

Due to a bug in `BoardPolicy`, users were getting back a 403 error when
trying to assign users to an assignee list and seeing "Something went
wrong while fetching assignees list". For some reason, the declarative
policy runtime was ignoring the ternary condition.

To work around the issue, we make the project board an explicit
condition check.

Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/9727

app/models/board.rb

@@ -21,6 +21,10 @@ class Board < ActiveRecord::Base
     group_id.present?
   end
 
+  def project_board?
+    project_id.present?
+  end
+
   def backlog_list
     lists.merge(List.backlog).take
   end

app/policies/board_policy.rb

@@ -4,10 +4,12 @@ class BoardPolicy < BasePolicy
   delegate { @subject.parent }
 
   condition(:is_group_board) { @subject.group_board? }
+  condition(:is_project_board) { @subject.project_board? }
 
-  rule { is_group_board ? can?(:read_group) : can?(:read_project) }.enable :read_parent
+  rule { is_project_board & can?(:read_project) }.enable :read_parent
 
   rule { is_group_board & can?(:read_group) }.policy do
+    enable :read_parent
     enable :read_milestone
     enable :read_issue
   end

changelogs/unreleased/sh-fix-board-user-assigns.yml

+---
+title: Fix 403 errors when adding an assignee list in project boards
+merge_request: 25263
+author:
+type: fixed

spec/policies/board_policy_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe BoardPolicy do
+  let(:user) { create(:user) }
+  let(:project) { create(:project, :private) }
+  let(:group) { create(:group, :private) }
+  let(:group_board) { create(:board, group: group) }
+  let(:project_board) { create(:board, project: project) }
+
+  let(:board_permissions) do
+    [
+      :read_parent,
+      :read_milestone,
+      :read_issue
+    ]
+  end
+
+  def expect_allowed(*permissions)
+    permissions.each { |p| is_expected.to be_allowed(p) }
+  end
+
+  def expect_disallowed(*permissions)
+    permissions.each { |p| is_expected.not_to be_allowed(p) }
+  end
+
+  context 'group board' do
+    subject { described_class.new(user, group_board) }
+
+    context 'user has access' do
+      before do
+        group.add_developer(user)
+      end
+
+      it do
+        expect_allowed(*board_permissions)
+      end
+    end
+
+    context 'user does not have access' do
+      it do
+        expect_disallowed(*board_permissions)
+      end
+    end
+  end
+
+  context 'project board' do
+    subject { described_class.new(user, project_board) }
+
+    context 'user has access' do
+      before do
+        project.add_developer(user)
+      end
+
+      it do
+        expect_allowed(*board_permissions)
+      end
+    end
+
+    context 'user does not have access' do
+      it do
+        expect_disallowed(*board_permissions)
+      end
+    end
+  end
+end