Fix permission check for confidential quick action

Checks `set_confidentiality` instead of `admin_issue` so that non-members can use the confidential quick action on issue creation. Changelog: fixed

Fix permission check for confidential quick action
Checks `set_confidentiality` instead of `admin_issue` so that non-members can use the confidential quick action on issue creation. Changelog: fixed
561f4402 · Heinrich Lee Yu · a9bae7b7 · 561f4402 · 561f4402
Commit 561f4402 authored Nov 02, 2021 by Heinrich Lee Yu
Showing with 19 additions and 8 deletions

lib/gitlab/quick_actions/issue_actions.rb lib/gitlab/quick_actions/issue_actions.rb +1 -1

spec/services/quick_actions/interpret_service_spec.rb spec/services/quick_actions/interpret_service_spec.rb +18 -7

No files found.
--- a/lib/gitlab/quick_actions/issue_actions.rb
+++ b/lib/gitlab/quick_actions/issue_actions.rb
@@ -172,7 +172,7 @@ module Gitlab
        condition do
          quick_action_target.issue_type_supports?(:confidentiality) &&
            !quick_action_target.confidential? &&
-            current_user.can?(:"admin_#{quick_action_target.to_ability_name}", quick_action_target)
+            current_user.can?(:set_confidentiality, quick_action_target)
        end
        command :confidential do
          @updates[:confidential] = true

--- a/spec/services/quick_actions/interpret_service_spec.rb
+++ b/spec/services/quick_actions/interpret_service_spec.rb
@@ -1326,14 +1326,25 @@ RSpec.describe QuickActions::InterpretService do
      let(:issuable) { issue }
    end

-    it_behaves_like 'confidential command' do
-      let(:content) { '/confidential' }
-      let(:issuable) { issue }
-    end
+    context '/confidential' do
+      it_behaves_like 'confidential command' do
+        let(:content) { '/confidential' }
+        let(:issuable) { issue }
+      end
+
+      it_behaves_like 'confidential command' do
+        let(:content) { '/confidential' }
+        let(:issuable) { create(:incident, project: project) }
+      end
+
+      context 'when non-member is creating a new issue' do
+        let(:service) { described_class.new(project, create(:user)) }

-    it_behaves_like 'confidential command' do
-      let(:content) { '/confidential' }
-      let(:issuable) { create(:incident, project: project) }
+        it_behaves_like 'confidential command' do
+          let(:content) { '/confidential' }
+          let(:issuable) { build(:issue, project: project) }
+        end
+      end
    end

    it_behaves_like 'lock command' do