Show assignment option only if user is acutally authorized to do so

Right now we show the assignment option to every user. We should only
show it if the user is actually authorized to assign someone.

Author: krauselukas

src/api/app/policies/package_policy.rb

@@ -58,4 +58,20 @@ def source_access?
 
     record.enabled_for?('sourceaccess', nil, nil)
   end
+
+  def assign?
+    return false unless Flipper.enabled?(:foster_collaboration, user)
+    return true if user.admin?
+
+    assigneer_is_a_collaborator?
+  end
+
+  private
+
+  def assigneer_is_a_collaborator?
+    collaborators = (record.relationships + record.project.relationships).map(&:user)
+    return false if collaborators.empty?
+
+    collaborators.include?(user)
+  end
 end

src/api/app/views/webui/package/show.html.haml

@@ -32,7 +32,7 @@
           .d-inline-flex
             = render partial: 'webui/shared/label_list', locals: { labelable: @package, project: @project }
             - if Flipper.enabled?(:foster_collaboration, User.session)
-              = render partial: 'webui/package/side_links/assignments', locals: { project: @project, package: @package }
+              = render partial: 'webui/package/side_links/assignments', locals: { project: @project, package: @package, user: User.session }
         - if Flipper.enabled?(:package_version_tracking, User.session) && (@package.latest_local_version || @package.latest_upstream_version)
           Version:
           - if @package.latest_local_version

src/api/app/views/webui/package/side_links/_assignments.html.haml

@@ -8,7 +8,7 @@
       %p.mb-0.link-danger
         %i.fas.fa-user-minus
         Unassign
-- else
+- elsif policy(package).assign?
   .dropdown#assignment-search
     %button.btn.btn-sm.dropdown-toggle.ps-0.border-0{ data: { 'bs-toggle': 'dropdown', 'bs-auto-close': 'outside' }, aria: { expanded: 'false' } }
       %strong