Backend: Filter catalog resources based on user permissions

Problem

When a user marks the components repository as being a catalog resource we expect the project to be available in the catalog. However, we need to ensure that projects are exposed in the catalog only to users who have the right permissions.

For example:

• You are a user of gitlab-org/gitlab.
• gitlab-org/security/dast and gitlab-org/security/sast are 2 components repositories where everyone in gitlab-org group can access.
• gitlab-org/internal is a sub-group accessible only to a limited number of gitlab-org members. This sub-group contains a components repository report-x.

flowchart TD
gitlab-org --> gitlab([gitlab])
gitlab-org --> internal --> report-x[[report]]
gitlab-org --> security --> dast[[dast]]
security --> sast[[sast]]

Expectations

• If you don't have access to gitlab-org/internal you should not see the components repository gitlab-org/internal/report-x listed in the catalog.
• As you have access to gitlab-org/security sub-group you will see the components repositories gitlab-org/security/dast and gitlab-org/security/sast.

Proposal

We already have Ci::Catalog::Listing class that represents the baseline scope of resources in a given root namespace. We can leverage ProjectsFinder or at least the filter by permissions and pass the Ci::Catalog::Listing#resources through this permissions filter, to ensure we don't expose accidentally resources to users that don't have permissions.