Allow to apply group labels with service desk templates

Allow to apply group labels using quick actions
on service desk templates

app/models/group.rb

@@ -584,6 +584,10 @@ class Group < Namespace
     ancestor_settings.allow_mfa_for_subgroups
   end
 
+  def has_project_with_service_desk_enabled?
+    Gitlab::ServiceDesk.supported? && all_projects.service_desk_enabled.exists?
+  end
+
   private
 
   def update_two_factor_requirement

app/policies/group_policy.rb

@@ -59,6 +59,9 @@ class GroupPolicy < BasePolicy
   with_scope :subject
   condition(:resource_access_token_available) { resource_access_token_available? }
 
+  with_scope :subject
+  condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? }
+
   rule { design_management_enabled }.policy do
     enable :read_design_activity
   end
@@ -194,6 +197,10 @@ class GroupPolicy < BasePolicy
     enable :admin_resource_access_tokens
   end
 
+  rule { support_bot & has_project_with_service_desk_enabled }.policy do
+    enable :read_label
+  end
+
   def access_level
     return GroupMember::NO_ACCESS if @user.nil?
     return GroupMember::NO_ACCESS unless user_is_user?

changelogs/unreleased/issue_243790.yml

+---
+title: Allow to apply group labels with service desk templates
+merge_request: 46492
+author:
+type: fixed

spec/lib/gitlab/email/handler/service_desk_handler_spec.rb

@@ -11,13 +11,13 @@ RSpec.describe Gitlab::Email::Handler::ServiceDeskHandler do
   end
 
   let(:email_raw) { email_fixture('emails/service_desk.eml') }
-  let_it_be(:namespace) { create(:namespace, name: "email") }
+  let_it_be(:group) { create(:group, :private, name: "email") }
   let(:expected_description) do
     "Service desk stuff!\n\n```\na = b\n```\n\n`/label ~label1`\n`/assign @user1`\n`/close`\n![image](uploads/image.png)"
   end
 
   context 'service desk is enabled for the project' do
-    let_it_be(:project) { create(:project, :repository, :public, namespace: namespace, path: 'test', service_desk_enabled: true) }
+    let_it_be(:project) { create(:project, :repository, :private, group: group, path: 'test', service_desk_enabled: true) }
 
     before do
       allow(Gitlab::ServiceDesk).to receive(:supported?).and_return(true)
@@ -101,6 +101,18 @@ RSpec.describe Gitlab::Email::Handler::ServiceDeskHandler do
               expect(issue.milestone).to eq(milestone)
             end
 
+            it 'applies group labels using quick actions' do
+              group_label = create(:group_label, group: project.group, title: 'label2')
+              file_content = %(Text from template \n/label ~#{group_label.title}"")
+              set_template_file('with_group_labels', file_content)
+
+              receiver.execute
+
+              issue = Issue.last
+              expect(issue.description).to include('Text from template')
+              expect(issue.label_ids).to include(group_label.id)
+            end
+
             it 'redacts quick actions present on user email body' do
               set_template_file('service_desk1', 'text from template')
 
@@ -289,7 +301,8 @@ RSpec.describe Gitlab::Email::Handler::ServiceDeskHandler do
   end
 
   context 'service desk is disabled for the project' do
-    let(:project) { create(:project, :public, namespace: namespace, path: 'test', service_desk_enabled: false) }
+    let(:group) { create(:group)}
+    let(:project) { create(:project, :public, group: group, path: 'test', service_desk_enabled: false) }
 
     it 'bounces the email' do
       expect { receiver.execute }.to raise_error(Gitlab::Email::ProcessingError)

spec/models/group_spec.rb

@@ -1663,4 +1663,47 @@ RSpec.describe Group do
       end
     end
   end
+
+  describe 'has_project_with_service_desk_enabled?' do
+    let_it_be(:group) { create(:group, :private) }
+
+    subject { group.has_project_with_service_desk_enabled? }
+
+    before do
+      allow(Gitlab::ServiceDesk).to receive(:supported?).and_return(true)
+    end
+
+    context 'when service desk is enabled' do
+      context 'for top level group' do
+        let_it_be(:project) { create(:project, group: group, service_desk_enabled: true) }
+
+        it { is_expected.to eq(true) }
+
+        context 'when service desk is not supported' do
+          before do
+            allow(Gitlab::ServiceDesk).to receive(:supported?).and_return(false)
+          end
+
+          it { is_expected.to eq(false) }
+        end
+      end
+
+      context 'for subgroup project' do
+        let_it_be(:subgroup) { create(:group, :private, parent: group)}
+        let_it_be(:project) { create(:project, group: subgroup, service_desk_enabled: true) }
+
+        it { is_expected.to eq(true) }
+      end
+    end
+
+    context 'when none of group child projects has service desk enabled' do
+      let_it_be(:project) { create(:project, group: group, service_desk_enabled: false) }
+
+      before do
+        project.update(service_desk_enabled: false)
+      end
+
+      it { is_expected.to eq(false) }
+    end
+  end
 end

spec/policies/group_policy_spec.rb

@@ -882,4 +882,23 @@ RSpec.describe GroupPolicy do
   end
 
   it_behaves_like 'Self-managed Core resource access tokens'
+
+  context 'support bot' do
+    let_it_be(:group) { create(:group, :private) }
+    let_it_be(:current_user) { User.support_bot }
+
+    before do
+      allow(Gitlab::ServiceDesk).to receive(:supported?).and_return(true)
+    end
+
+    it { expect_disallowed(:read_label) }
+
+    context 'when group hierarchy has a project with service desk enabled' do
+      let_it_be(:subgroup) { create(:group, :private, parent: group)}
+      let_it_be(:project) { create(:project, group: subgroup, service_desk_enabled: true) }
+
+      it { expect_allowed(:read_label) }
+      it { expect(described_class.new(current_user, subgroup)).to be_allowed(:read_label) }
+    end
+  end
 end