"Owned" parameter does not function in the API to list projects for a group
Summary
According to the doc at https://docs.gitlab.com/ee/api/groups.html#list-a-group-s-projects, "owned" could be used to filter out the projects owned by the current user or not in the group.
Customer https://gitlab.my.salesforce.com/0016100000bhyzc met this.
Steps to reproduce
- Create one group
- Create one project inside the group
- Call GitLab API per https://docs.gitlab.com/ee/api/groups.html#list-a-group-s-projects with "owned=true" and "owned=false" respectively
What is the current bug behavior?
Both API calls return the same result
What is the expected correct behavior?
Each responds completely different set of result
Output of checks
This happens on gitlab.com.
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:env:info)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)(we will only investigate if the tests are passing)
Implementation plan / Possible fixes
1. Find an alternative term to only_owned and change it everywhere.
Not really necessary, but the naming change would definitely bring in more clarity and readability. The work involved in the "find and replace" of this term across the codebase can be a little tedious. group_owned or group_owned_only is a really nice replacement term.
2. Propagate owned as a param to GroupProjectsFinder and then filter out projects owned by the current_user.
owned needs to be added to GroupProjectsFinder. It already takes in a bunch of params, so that's fine. The API layer is already passing in owned as a param if it is present, so there is probably nothing to do there.
In the service layer, we should:
- Add the new param's existence over here for documentation.
- Over here, we could add a condition like
if owned_projects?, which would filter the set of projects based on owner access level and return them.
Also, to be noted: our other APIs support only filtering by owned: true. We do not really support a case where owned: false is passed, and then it returns non-owned projects. So we should be OK with just adding that single if condition.
Surprisingly, in other finders, we just do this, which means that even if we pass owned: false, it is interpreted as the param is not passed at all, and not really as the inverse of owned: true. So we don't have to bother with owned: false condition.