1 files changed, 21 insertions, 0 deletions

diff --git a/app/controllers/projects/analytics/cycle_analytics/stages_controller.rb b/app/controllers/projects/analytics/cycle_analytics/stages_controller.rb
index 7b38c069a60..ab2cf3abdde 100644
--- a/app/controllers/projects/analytics/cycle_analytics/stages_controller.rb
+++ b/app/controllers/projects/analytics/cycle_analytics/stages_controller.rb
@@ -2,6 +2,7 @@
 
 class Projects::Analytics::CycleAnalytics::StagesController < Projects::ApplicationController
   include ::Analytics::CycleAnalytics::StageActions
+  include Gitlab::Utils::StrongMemoize
   extend ::Gitlab::Utils::Override
 
   respond_to :json
@@ -10,6 +11,7 @@ class Projects::Analytics::CycleAnalytics::StagesController < Projects::Applicat
 
   before_action :authorize_read_cycle_analytics!
   before_action :only_default_value_stream_is_allowed!
+  before_action :authorize_stage!, only: [:median, :count, :average, :records]
 
   urgency :low
 
@@ -25,7 +27,26 @@ class Projects::Analytics::CycleAnalytics::StagesController < Projects::Applicat
     Analytics::CycleAnalytics::ProjectValueStream
   end
 
+  override :cycle_analytics_configuration
+  def cycle_analytics_configuration(stages)
+    super(stages.select { |stage| permitted_stage?(stage) })
+  end
+
   def only_default_value_stream_is_allowed!
     render_404 if params[:value_stream_id] != Analytics::CycleAnalytics::Stages::BaseService::DEFAULT_VALUE_STREAM_NAME
   end
+
+  def permitted_stage?(stage)
+    permissions[stage.name.to_sym] # name matches the permission key (only when default stages are used)
+  end
+
+  def permissions
+    strong_memoize(:permissions) do
+      Gitlab::CycleAnalytics::Permissions.new(user: current_user, project: parent).get
+    end
+  end
+
+  def authorize_stage!
+    render_403 unless permitted_stage?(stage)
+  end
 end