Fix sprint menu permissions#22507
Conversation
There was a problem hiding this comment.
Pull request overview
Aligns the Backlogs sprint action menu with sprint “mutability” in the context of sprint sharing vs. sprints that are merely visible via work package references, so the UI doesn’t advertise sprint mutations that shouldn’t be offered.
Changes:
- Gate “Start sprint” / “Finish sprint” actions behind a new
mutable_sprint_in_project?check. - Gate “Edit sprint” behind
show_edit_sprint_action?and update the template to use it. - Add a component spec covering the “visible only via work package references” scenario (mutation actions hidden).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| modules/backlogs/spec/components/backlogs/sprint_menu_component_spec.rb | Adds coverage asserting mutation actions are hidden when a sprint is only visible via WP references. |
| modules/backlogs/app/components/backlogs/sprint_menu_component.rb | Introduces mutable_sprint_in_project? and uses it to conditionally show mutation actions. |
| modules/backlogs/app/components/backlogs/sprint_menu_component.html.erb | Switches edit action visibility check to show_edit_sprint_action?. |
| end | ||
|
|
||
| def show_edit_sprint_action? | ||
| mutable_sprint_in_project? && user_allowed?(:create_sprints) |
There was a problem hiding this comment.
show_edit_sprint_action? checks :create_sprints in the rendered project, but sprint mutations are authorized against the sprint's owning project (Sprints::BaseContract#user_authorized uses model.project). For shared sprints this can surface an “Edit sprint” action that will fail with :error_unauthorized. Consider aligning the menu with the mutation contract by checking current_user.allowed_in_project?(:create_sprints, sprint.project) (and/or using the relevant contract helper).
| mutable_sprint_in_project? && user_allowed?(:create_sprints) | |
| mutable_sprint_in_project? && | |
| current_user.allowed_in_project?(:create_sprints, sprint.project) |
Hides the Move submenu and its divider entirely when `show_move_items?` is false, rather than rendering them in a disabled state. Also memoizes `mutable_sprint_in_project?` in `SprintMenuComponent` to avoid repeated queries, and strengthens the referenced-sprint spec to test each status branch meaningfully.
myabc
force-pushed
the
fix/sprint-menu-permissions
branch
from
c37e960 to
36a6634
Compare
Note
This fix has been extracted from #22478
Ticket
n/a
What are you trying to accomplish?
Align sprint menu permissions with controller mutability rules.
This hides sprint mutation actions when a sprint is only visible through work package references - thus ensuring the UI no longer advertises operations the controllers will reject.
Screenshots
n/a
What approach did you choose and why?
Merge checklist