Show assignment option only if user is acutally authorized to do so

krauselukas · krauselukas · commit e6026ebfde98 · 2025-11-06T18:16:59.000+01:00
Right now we show the assignment option to every user. We should only
show it if the user is actually authorized to assign someone.
diff --git a/src/api/app/policies/package_policy.rb b/src/api/app/policies/package_policy.rb
@@ -58,4 +58,20 @@ def source_access?
 
     record.enabled_for?('sourceaccess', nil, nil)
   end
+
+  def assign?
+    return false unless Flipper.enabled?(:foster_collaboration, user)
+    return true if user.admin?
+
+    assigneer_is_a_collaborator?
+  end
+
+  private
+
+  def assigneer_is_a_collaborator?
+    collaborators = (record.relationships + record.project.relationships).map(&:user)
+    return false if collaborators.empty?
+
+    collaborators.include?(user)
+  end
 end
diff --git a/src/api/app/views/webui/package/side_links/_assignments.html.haml b/src/api/app/views/webui/package/side_links/_assignments.html.haml
@@ -8,7 +8,7 @@
       %p.mb-0.link-danger
         %i.fas.fa-user-minus
         Unassign
-- else
+- elsif policy(package).assign?
   .dropdown#assignment-search
     %button.btn.btn-sm.dropdown-toggle.ps-0.border-0{ data: { 'bs-toggle': 'dropdown', 'bs-auto-close': 'outside' }, aria: { expanded: 'false' } }
       %strong
