Enforce compliance frameworks to only belong to group namespaces
Problem to solve
Currently it is technically possible to assign a compliance framework to a personal namespace, but this will not work as expected and should be guarded against.
Proposal
We should update the model constraints on ComplianceFramework
to only allow the :namespace
association to be a Group, and disallow a personal namespace.
Background
@ebaque started a discussion in an MR:
In your MR description, you wrote: "... make it clear that the namespace that a compliance framework belongs to should be a group namespace, not a user namespace"
However we may have a discrepency between that bit of description and this line here: this policy here works with both a group namespace and a user namespace (ie. in the latter case,
project.namespace.root_ancestor
will return the user namespace).Therefore, can
:read_compliance_framework
be applied for a user namespace?