check authorizaiton, feature flag and access

Author: toy

Diff for: app/controllers/project_phases/hover_card_controller.rb

@@ -30,16 +30,30 @@
 
 module ProjectPhases
   class HoverCardController < ApplicationController
-    no_authorization_required! :show
+    before_action :authorize
+    before_action :check_feature_flag
     before_action :assign_gate
     before_action :find_phase
+    before_action :check_access
 
     layout false
 
     def show; end
 
     private
 
+    def check_feature_flag
+      return if OpenProject::FeatureDecisions.stages_and_gates_active?
+
+      render json: { error: "Not found" }, status: :not_found
+    end
+
+    def check_access
+      return if User.current.allowed_in_project?(:view_project_phases, @phase.project)
+
+      render json: { error: "Forbidden" }, status: :forbidden
+    end
+
     def assign_gate
       @gate = params[:gate]
       return if @gate.in?(%w[start finish])

Diff for: config/initializers/permissions.rb

@@ -135,7 +135,9 @@
                      require: :member
 
       map.permission :view_project_phases,
-                     {},
+                     {
+                       "project_phases/hover_card": :show
+                     },
                      permissible_on: :project,
                      dependencies: :view_project,
                      visible: -> { OpenProject::FeatureDecisions.stages_and_gates_active? }