Manage custom role permissions in hierarchy
The following discussion from !143616 (merged) should be addressed:
-
@hmehra started a discussion: (+1 comment) Hey @jarka this MR is still in draft mode because I am waiting for the pipelines to pass.
But, can you please confirm that the update I have made to this test is correct. I found that when a user was assigned to a custom role in a group & a project (inside the group), then the permissions that it receives from the project member role are active, not group.
For instance:
# User is assigned member role 1 inside group -> read_code: true # User is assigned member role 2 inside project -> admin_terraform_state: true Ability.allowed?(:user, :admin_terraform_state, project) => true Ability.allowed?(:user, :read_code, project) => false
The test here asserts the opposite since it asserts that
allowed_abilities
which are assigned togroup_member_guest
are actually the ones that are active, but I believe that's becausecreate_member_role(project_member_guest, { read_code: false })
was creating a member role with no permissions enabled.You are the domain expert here so I just want to confirm that I have made the correct change.
-
@jarka Hmm, and this is a bug. The user should be allowed to do both for the project in your example 🤔 could you please create an issue and tag me there? I suspect it might be related to the preloader queries