Regression: Custom project templates no longer work with internal visibility

Summary

Before fixing a security issue for custom project templates in a patch for 13.3.7, the internal viability level worked well for custom project templates. No tedious membership management on the projects, and no security concerns about setting a project to public visibility.

Steps to reproduce

Create an project, in the custom template group, with the Project Visibility set to "Internal"
- This project is not visible as a template for users that doesn't have access to the template group.
Change the project visibility to "Public" and set all the project features to "Everyone With Access"
- This should make the project visible as template, but it doesn't.

Probable cause

When a project is created with visibility set to "Internal", the default access level for the "Pages" feature is "PRIVATE". Updating the project visibility doesn't change the default value of the "Pages" feature access level. Since the user doesn't have a way to change the "Pages" feature access level through the UI, the "Pages" feature access level is locked in "PRIVATE", limiting the project to be used as template to only users that have access to the project itself.

Proposal

#263305 (comment 541248819):
Use Project.filter_by_feature_visibility(https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/models/project.rb#L653) in CustomProjectTemplatesFinder(https://gitlab.com/gitlab-org/security/gitlab/-/blob/master/ee/app/finders/custom_project_templates_finder.rb).

Example Project

What is the current bug behavior?

What is the expected correct behavior?

Relevant logs and/or screenshots

Output of checks

Results of GitLab environment info

Expand for output related to GitLab environment info


(For installations with omnibus-gitlab package run and paste the output of:
`sudo gitlab-rake gitlab:env:info`)

(For installations from source run and paste the output of:
`sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)

Results of GitLab application Check

Expand for output related to the GitLab application check

(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true)
(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true)
(we will only investigate if the tests are passing)

Possible fixes

Edited Mar 31, 2021 by Kassio Borges