Let project reporters create issue from group boards

The current state of group issue boards does not show the "Add issues"
button on the UI for users that are reporters of group child projects.

7 files changed, 49 insertions, 4 deletions

diff --git a/app/assets/javascripts/boards/components/board_new_issue.vue b/app/assets/javascripts/boards/components/board_new_issue.vue
index 4180023b7db..f9284266b72 100644
--- a/app/assets/javascripts/boards/components/board_new_issue.vue
+++ b/app/assets/javascripts/boards/components/board_new_issue.vue
@@ -114,7 +114,7 @@ export default {
           name="issue_title"
           autocomplete="off"
         />
-        <project-select v-if="groupId" :group-id="groupId" />
+        <project-select v-if="groupId" :group-id="groupId" :list="list" />
         <div class="clearfix prepend-top-10">
           <gl-button
             ref="submit-button"
diff --git a/app/assets/javascripts/boards/components/project_select.vue b/app/assets/javascripts/boards/components/project_select.vue
index e8d25e84be1..e5ebb887ce0 100644
--- a/app/assets/javascripts/boards/components/project_select.vue
+++ b/app/assets/javascripts/boards/components/project_select.vue
@@ -6,6 +6,7 @@ import Icon from '~/vue_shared/components/icon.vue';
 import { GlLoadingIcon } from '@gitlab/ui';
 import eventHub from '../eventhub';
 import Api from '../../api';
+import { featureAccessLevel } from '~/pages/projects/shared/permissions/constants';
 
 export default {
   name: 'BoardProjectSelect',
@@ -19,6 +20,10 @@ export default {
       required: true,
       default: 0,
     },
+    list: {
+      type: Object,
+      required: true,
+    },
   },
   data() {
     return {
@@ -49,6 +54,12 @@ export default {
       selectable: true,
       data: (term, callback) => {
         this.loading = true;
+        const additionalAttrs = {};
+
+        if (this.list.type && this.list.type !== 'backlog') {
+          additionalAttrs.min_access_level = featureAccessLevel.EVERYONE;
+        }
+
         return Api.groupProjects(
           this.groupId,
           term,
@@ -56,6 +67,7 @@ export default {
             with_issues_enabled: true,
             with_shared: false,
             include_subgroups: true,
+            ...additionalAttrs,
           },
           projects => {
             this.loading = false;
diff --git a/app/assets/javascripts/pages/projects/shared/permissions/constants.js b/app/assets/javascripts/pages/projects/shared/permissions/constants.js
index 73269c6f3ba..6771391254e 100644
--- a/app/assets/javascripts/pages/projects/shared/permissions/constants.js
+++ b/app/assets/javascripts/pages/projects/shared/permissions/constants.js
@@ -16,7 +16,7 @@ export const visibilityLevelDescriptions = {
   ),
 };
 
-const featureAccessLevel = {
+export const featureAccessLevel = {
   NOT_ENABLED: 0,
   PROJECT_MEMBERS: 10,
   EVERYONE: 20,
diff --git a/app/helpers/boards_helper.rb b/app/helpers/boards_helper.rb
index bbe05f40999..8ef3ed9e8a5 100644
--- a/app/helpers/boards_helper.rb
+++ b/app/helpers/boards_helper.rb
@@ -10,7 +10,7 @@ module BoardsHelper
       boards_endpoint: @boards_endpoint,
       lists_endpoint: board_lists_path(board),
       board_id: board.id,
-      disabled: "#{!can?(current_user, :admin_list, current_board_parent)}",
+      disabled: (!can?(current_user, :create_non_backlog_issues, board)).to_s,
       issue_link_base: build_issue_link_base,
       root_path: root_path,
       bulk_update_path: @bulk_issues_path,
diff --git a/app/policies/board_policy.rb b/app/policies/board_policy.rb
index 4bf1e7bd3e1..b8435dad3f1 100644
--- a/app/policies/board_policy.rb
+++ b/app/policies/board_policy.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class BoardPolicy < BasePolicy
+  include FindGroupProjects
+
   delegate { @subject.parent }
 
   condition(:is_group_board) { @subject.group_board? }
@@ -13,4 +15,20 @@ class BoardPolicy < BasePolicy
     enable :read_milestone
     enable :read_issue
   end
+
+  condition(:reporter_of_group_projects) do
+    next unless @user
+
+    group_projects_for(user: @user, group: @subject.parent)
+      .visible_to_user_and_access_level(@user, ::Gitlab::Access::REPORTER)
+      .exists?
+  end
+
+  rule { is_group_board & reporter_of_group_projects }.policy do
+    enable :create_non_backlog_issues
+  end
+
+  rule { is_project_board & can?(:admin_issue) }.policy do
+    enable :create_non_backlog_issues
+  end
 end
diff --git a/app/policies/concerns/find_group_projects.rb b/app/policies/concerns/find_group_projects.rb
new file mode 100644
index 00000000000..e2cb90079c7
--- /dev/null
+++ b/app/policies/concerns/find_group_projects.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module FindGroupProjects
+  extend ActiveSupport::Concern
+
+  def group_projects_for(user:, group:)
+    GroupProjectsFinder.new(
+      group: group,
+      current_user: user,
+      options: { include_subgroups: true, only_owned: true }
+    ).execute
+  end
+end
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 5d2b74b17a2..c726c7c24a7 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class GroupPolicy < BasePolicy
+  include FindGroupProjects
+
   desc "Group is public"
   with_options scope: :subject, score: 0
   condition(:public_group) { @subject.public? }
@@ -22,7 +24,7 @@ class GroupPolicy < BasePolicy
   condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) }
 
   condition(:has_projects) do
-    GroupProjectsFinder.new(group: @subject, current_user: @user, options: { include_subgroups: true, only_owned: true }).execute.any?
+    group_projects_for(user: @user, group: @subject).any?
   end
 
   with_options scope: :subject, score: 0