Unify member management between projects and groups - Owner Role
We treat projects and groups differently in multiple aspects:
- access levels:
- for groups, we allow: from
GUEST
toOWNER
- for projects, we allow: from
GUEST
only toMAINTAINER
, but noOWNER
- for groups, we allow: from
Because of this, we cannot grant other users OWNER
privileges to a project. See #21432 (closed).
- owner:
- for groups, we add owner to
members
withOWNER
access level - for projects:
- projects in personal namespaces: we don't add the owner as member but they are directly associated via
Project#owner
- projects in groups: owner is added inheriting access level from group (so they might end up with
DEVELOPER
access level only)
- projects in personal namespaces: we don't add the owner as member but they are directly associated via
- for groups, we add owner to
Because of this, we don't return the owner for personal projects via the members API. It's only return be the projects API via the owner
attribute. There's a long discussion around this in https://gitlab.com/gitlab-com/gl-security/security-operations/sirt/operations/-/issues/657#note_399169972.
I assume most of these are coming from historic reasons but they are causing a lot of inconsistency, confusion and edge cases we need to handle. This might also be required for simplifying groups and project.
Edited by Melissa Ushakov