Allow Group-level protected environments to take inherited membership into account
Summary
Groups added as allowed to deploy to protected environments only allow direct members to deploy. Inherited members are not allowed to deploy to a protected environment.
Current behavior
- Configure the following group/project structure, where
UserA
is added as aMaintainer
ofParent_Group
andUserB
is added directly toDeploy_Group
as aMaintainer
as well.
Parent_Group:
- Deploy_Group
- Project
- Add
Deploy_Group
as a group allowed to deploy into `Project' protected environment. - As
UserB
, try to deploy to the protected environment onProject
. This operation succeeds. - As
UserA
, try to deploy to the same protected environment. This operation fails becauseUserA
doesn't have the necessary privileges for deployment.
UserA
should be able to deploy because by being a Maintainer
on Parent_Group
, they receive Maintainer
privileges on Deploy_Group
as well via inheritance, but inheritance is currently not taken into account for protected environments.
Proposal
- Add an option to Protected Environment to change the group-base access check behavior.
- There are two types for group-base access:
-
direct
... Only direct members can deploy. -
all
... All members can deploy, including inherited members.
-
- Add
group_inheritance_type
column toprotected_environment_deploy_access_levels
table.-
{ direct: 0, all: 1 }
. - The default is
direct
.
-
- Extend API to allow users to set the value.
Edited by Shinya Maeda