Merge branch 'permission-improvements' into 'master'

Update permissions for issue tracker management

Don't allow guest or reporter to set assignee, milestone and label when create or update new issue and merge request.
After this change `Guest` and `Reporter` rule is used to report issues but only `Developer` and higher roles can manage issues (schedule milestone, assign to user or close any issue)

Also I removed some duplication code between issues and merge requests and put all issuable partials in one directory

See merge request !890

CHANGELOG

@@ -21,6 +21,7 @@ v 7.13.0 (unreleased)
   - Show a user's Two-factor Authentication status in the administration area.
   - Explicit error when commit not found in the CI
   - Improve performance for issue and merge request pages 
+  - Users with guest access level can not set assignee, labels or milestones for issue and merge request
 v 7.12.0 (unreleased)
   - Fix Error 500 when one user attempts to access a personal, internal snippet (Stan Hu)

app/assets/javascripts/dispatcher.js.coffee

@@ -31,20 +31,14 @@ class Dispatcher
       when 'projects:compare:show'
         new Diff()
       when 'projects:issues:new','projects:issues:edit'
-        GitLab.GfmAutoComplete.setup()
         shortcut_handler = new ShortcutsNavigation()
-        new ZenMode()
         new DropzoneInput($('.issue-form'))
-        if page == 'projects:issues:new'
-          new IssuableForm($('.issue-form'))
+        new IssuableForm($('.issue-form'))
       when 'projects:merge_requests:new', 'projects:merge_requests:edit'
-        GitLab.GfmAutoComplete.setup()
         new Diff()
         shortcut_handler = new ShortcutsNavigation()
-        new ZenMode()
         new DropzoneInput($('.merge-request-form'))
-        if page == 'projects:merge_requests:new'
-          new IssuableForm($('.merge-request-form'))
+        new IssuableForm($('.merge-request-form'))
       when 'projects:merge_requests:show'
         new Diff()
         shortcut_handler = new ShortcutsIssuable()
@@ -113,13 +107,6 @@ class Dispatcher
             new NamespaceSelect()
       when 'dashboard'
         shortcut_handler = new ShortcutsDashboardNavigation()
-        switch path[1]
-          when 'issues', 'merge_requests'
-            new UsersSelect()
-      when 'groups'
-        switch path[1]
-          when 'issues', 'merge_requests'
-            new UsersSelect()
       when 'profiles'
         new Profile()
       when 'projects'
@@ -135,8 +122,6 @@ class Dispatcher
             new ProjectNew()
           when 'show'
             new ProjectShow()
-          when 'issues', 'merge_requests'
-            new UsersSelect()
           when 'wikis'
             new Wikis()
             shortcut_handler = new ShortcutsNavigation()

app/assets/javascripts/issuable_context.js.coffee

+#= require jquery.waitforimages
+
+class @IssuableContext
+  constructor: ->
+    new UsersSelect()
+    $('select.select2').select2({width: 'resolve', dropdownAutoWidth: true})
+
+    $(".context .inline-update").on "change", "select", ->
+      $(this).submit()
+    $(".context .inline-update").on "change", ".js-assignee", ->
+      $(this).submit()
+
+    $('.issuable-details').waitForImages ->
+      $('.issuable-affix').affix offset:
+        top: ->
+          @top = ($('.issuable-affix').offset().top - 70)
+        bottom: ->
+          @bottom = $('.footer').outerHeight(true)
+      $('.issuable-affix').on 'affix.bs.affix', ->
+        $(@).width($(@).outerWidth())
+      .on 'affixed-top.bs.affix affixed-bottom.bs.affix', ->
+        $(@).width('')

app/assets/javascripts/issuable_form.js.coffee

 class @IssuableForm
   constructor: (@form) ->
+    GitLab.GfmAutoComplete.setup()
+    new UsersSelect()
+    new ZenMode()
+
     @titleField       = @form.find("input[name*='[title]']")
     @descriptionField = @form.find("textarea[name*='[description]']")

app/assets/javascripts/issue.js.coffee

@@ -3,29 +3,12 @@
 class @Issue
   constructor: ->
-    $('.edit-issue.inline-update input[type="submit"]').hide()
-    $(".context .inline-update").on "change", "select", ->
-      $(this).submit()
-    $(".context .inline-update").on "change", "#issue_assignee_id", ->
-      $(this).submit()
-
     # Prevent duplicate event bindings
     @disableTaskList()
     if $("a.btn-close").length
       @initTaskList()
-    $('.issue-details').waitForImages ->
-      $('.issuable-affix').affix offset:
-        top: ->
-          @top = ($('.issuable-affix').offset().top - 70)
-        bottom: ->
-          @bottom = $('.footer').outerHeight(true)
-      $('.issuable-affix').on 'affix.bs.affix', ->
-        $(@).width($(@).outerWidth())
-      .on 'affixed-top.bs.affix affixed-bottom.bs.affix', ->
-        $(@).width('')
-
   initTaskList: ->
     $('.issue-details .js-task-list-container').taskList('enable')
     $(document).on 'tasklist:changed', '.issue-details .js-task-list-container', @updateTaskList
@@ -42,5 +25,5 @@ class @Issue
     $.ajax
       type: 'PATCH'
-      url: $('form.js-issue-update').attr('action')
+      url: $('form.js-issuable-update').attr('action')
       data: patchData

app/assets/javascripts/merge_request.js.coffee

@@ -10,7 +10,6 @@ class @MergeRequest
   #   action - String, current controller action
   #
   constructor: (@opts) ->
-    @initContextWidget()
     this.$el = $('.merge-request')
     this.$('.show-all-commits').on 'click', =>
@@ -26,28 +25,10 @@ class @MergeRequest
     if $("a.btn-close").length
       @initTaskList()
-    $('.merge-request-details').waitForImages ->
-      $('.issuable-affix').affix offset:
-        top: ->
-          @top = ($('.issuable-affix').offset().top - 70)
-        bottom: ->
-          @bottom = $('.footer').outerHeight(true)
-      $('.issuable-affix').on 'affix.bs.affix', ->
-        $(@).width($(@).outerWidth())
-      .on 'affixed-top.bs.affix affixed-bottom.bs.affix', ->
-        $(@).width('')
-
   # Local jQuery finder
   $: (selector) ->
     this.$el.find(selector)
-  initContextWidget: ->
-    $('.edit-merge_request.inline-update input[type="submit"]').hide()
-    $(".context .inline-update").on "change", "select", ->
-      $(this).submit()
-    $(".context .inline-update").on "change", "#merge_request_assignee_id", ->
-      $(this).submit()
-
   showAllCommits: ->
     this.$('.first-commits').remove()
     this.$('.all-commits').removeClass 'hide'
@@ -68,5 +49,5 @@ class @MergeRequest
     $.ajax
       type: 'PATCH'
-      url: $('form.js-merge-request-update').attr('action')
+      url: $('form.js-issuable-update').attr('action')
       data: patchData

app/assets/stylesheets/pages/issues.scss

@@ -145,9 +145,3 @@ h2.issue-title {
 .issue-form .select2-container {
   width: 250px !important;
 }
-
-.issues-holder {
-  .issue-info {
-    margin-left: 20px;
-  }
-}

app/helpers/gitlab_routing_helper.rb

@@ -52,4 +52,12 @@ module GitlabRoutingHelper
   def project_snippet_url(entity, *args)
     namespace_project_snippet_url(entity.project.namespace, entity.project, entity, *args)
   end
+
+  def toggle_subscription_path(entity, *args)
+    if entity.is_a?(Issue)
+      toggle_subscription_namespace_project_issue_path(entity.project.namespace, entity.project, entity)
+    else
+      toggle_subscription_namespace_project_merge_request_path(entity.project.namespace, entity.project, entity)
+    end
+  end
 end

app/models/ability.rb

@@ -185,7 +185,6 @@ class Ability
         :modify_issue,
         :modify_project_snippet,
         :modify_merge_request,
-        :admin_issue,
         :admin_milestone,
         :admin_project_snippet,
         :admin_project_member,

app/services/issuable_base_service.rb

@@ -26,4 +26,12 @@ class IssuableBaseService < BaseService
       issuable, issuable.project, current_user, branch_type,
       old_branch, new_branch)
   end
+
+  def filter_params
+    unless can?(current_user, :admin_issue, project)
+      params.delete(:milestone_id)
+      params.delete(:label_ids)
+      params.delete(:assignee_id)
+    end
+  end
 end

app/services/issues/create_service.rb

 module Issues
   class CreateService < Issues::BaseService
     def execute
+      filter_params
       label_params = params[:label_ids]
       issue = project.issues.new(params.except(:label_ids))
       issue.author = current_user

app/services/issues/update_service.rb

@@ -17,6 +17,7 @@ module Issues
       params[:assignee_id]  = "" if params[:assignee_id] == IssuableFinder::NONE
       params[:milestone_id] = "" if params[:milestone_id] == IssuableFinder::NONE
+      filter_params
       old_labels = issue.labels.to_a
       if params.present? && issue.update_attributes(params.except(:state_event,

app/services/merge_requests/create_service.rb

 module MergeRequests
   class CreateService < MergeRequests::BaseService
     def execute
+      filter_params
       label_params = params[:label_ids]
       merge_request = MergeRequest.new(params.except(:label_ids))
       merge_request.source_project = project

app/services/merge_requests/update_service.rb

@@ -27,6 +27,7 @@ module MergeRequests
       params[:assignee_id]  = "" if params[:assignee_id] == IssuableFinder::NONE
       params[:milestone_id] = "" if params[:milestone_id] == IssuableFinder::NONE
+      filter_params
       old_labels = merge_request.labels.to_a
       if params.present? && merge_request.update_attributes(

app/views/dashboard/issues.html.haml

@@ -17,5 +17,5 @@
         = link_to issues_dashboard_url(format: :atom, private_token: current_user.private_token), class: 'btn' do
           %i.fa.fa-rss
-  = render 'shared/issuable_filter', type: :issues
+  = render 'shared/issuable/filter', type: :issues
 = render 'shared/issues'

app/views/dashboard/merge_requests.html.haml

@@ -7,5 +7,5 @@
   List all merge requests from all projects you have access to.
 %hr
 .append-bottom-20
-  = render 'shared/issuable_filter', type: :merge_requests
+  = render 'shared/issuable/filter', type: :merge_requests
 = render 'shared/merge_requests'

app/views/groups/issues.html.haml

@@ -21,5 +21,5 @@
         = link_to issues_group_url(@group, format: :atom, private_token: current_user.private_token), class: 'btn' do
           %i.fa.fa-rss
-  = render 'shared/issuable_filter', type: :issues
+  = render 'shared/issuable/filter', type: :issues
 = render 'shared/issues'

app/views/groups/merge_requests.html.haml

@@ -10,5 +10,5 @@
     To see all merge requests you should visit #{link_to 'dashboard', merge_requests_dashboard_path} page.
 %hr
 .append-bottom-20
-  = render 'shared/issuable_filter', type: :merge_requests
+  = render 'shared/issuable/filter', type: :merge_requests
 = render 'shared/merge_requests'

app/views/projects/issues/_discussion.html.haml

@@ -23,7 +23,7 @@
           = cross_project_reference(@project, @issue)
       %hr
       .context
-        = render partial: 'issue_context', locals: { issue: @issue }
+        = render 'shared/issuable/context', issuable: @issue
       - if @issue.labels.any?
         .issuable-context-title

app/views/projects/issues/_form.html.haml

@@ -3,7 +3,7 @@
   %hr
   = form_for [@project.namespace.becomes(Namespace), @project, @issue], html: { class: 'form-horizontal issue-form gfm-form' } do |f|
-    = render 'projects/issuable_form', f: f, issuable: @issue
+    = render 'shared/issuable/form', f: f, issuable: @issue
 :javascript
   $('.assign-to-me-link').on('click', function(e){