XRay Add-On Access Issue in Subgroups Due to Namespace Hierarchy Check
There is a bug affecting the access to the XRay Add-On feature in subgroups within a project's namespace hierarchy on GitLab. When the XRay scan CI job is initiated, it incorrectly verifies the 'Add On Purchase' only at the namespace hosting the project, omitting checks for higher levels in the namespace hierarchy. As a result, subgroups nested under the authorized namespace do not inherit the XRay feature, leading to restricted functionality where it should otherwise be available.
Steps to Reproduce:
- Assign an XRay Add-On seat to a user within the root namespace (e.g., gitlab.com/gitlab-org).
- Verify that XRay feature works as expected in the project at the top level of that group, such as gitlab.com/gitlab-org/gitlab.
- Attempt to use the XRay feature in a project within a subgroup of the original namespace, for instance, gitlab.com/gitlab-org/editor-extensions/gitlab-visual-studio-extension.
- Observe that the XRay feature is inaccessible in the subgroup project, despite being available in the parent group's project.
Expected Behavior:
The XRay Add-On feature should be accessible to all subgroups and projects within the hierarchy of the namespace where the Add-On is purchased, ensuring that all related projects benefit from the feature without additional configurations.
Actual Behavior:
The XRay Add-On feature is restricted to the immediate project under the namespace where it is checked and does not extend to subgroups, resulting in a lack of access to the feature for nested subgroup projects.
Suggested Fix:
Modify the Add-On check to recursively verify the presence of the Add-On purchase up through the hierarchy of namespaces, ensuring all nested groups and subprojects correctly inherit the Add-On's availability.
This adjustment will provide consistency in how Add-On features are distributed across projects and subgroups, enhancing usability and access control within GitLab environments.
Implementation Details
The scan checks for a license by namespace here
def gitlab_duo_pro_add_on?
::GitlabSubscriptions::AddOnPurchase
.for_gitlab_duo_pro
.by_namespace_id(current_namespace.id)
.active
.any?
end
Replacing current_namespace.id
with current_namespace.self_and_ancestor_ids
should check for a license on any parent group.