Consider the assigner in assignment policies

The policy doesn't check if the assigner is authorized to add
an assignee to a package. As of now everyone can add an assigne.
We have to check if the assigner is a collaborator as well.

Author: krauselukas

src/api/app/policies/assignment_policy.rb

@@ -4,13 +4,22 @@
 class AssignmentPolicy < ApplicationPolicy
   def create?
     return false unless Flipper.enabled?(:foster_collaboration, user)
-
     return true if user.admin?
+    return false unless assigneer_is_a_collaborator?
 
     record.assignee_is_a_collaborator?
   end
 
   def destroy?
     create?
   end
+
+  private
+
+  def assigneer_is_a_collaborator?
+    collaborators = (record.package.relationships + record.package.project.relationships).map(&:user)
+    return false if collaborators.empty?
+
+    collaborators.include?(user)
+  end
 end