Owners of sub-groups and projects should not have access when banned
What does this MR do and why?
Resolves: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/111
Problem: When sub-group and project owners are banned from a top-level namespace they can still access their sub-groups and projects.
This MR updates the group and project policies to prevent owners of sub-group and projects from accessing their sub-group and projects when they are banned from the top-level group.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
How to set up and validate locally
Note: to unban just destroy all ::Namespaces::NamespaceBan
by executing ::Namespaces::NamespaceBan.destroy_all
in Rails console
Validate that sub-group owners are banned
- Create a top-level group and a sub-group under the top-level group
- Add another user (
user2
) asOWNER
to the sub-group - Validate that
user2
can access the sub-group - In Rails console, ban the sub-group owner (
user2
) from the top-level group> namespace = Group.find_by_full_path('your_groups_actual_full_path') > user = User.find_by(username: 'your_actual_users_username') > ::Namespaces::NamespaceBan.create(user: user, namespace: namespace)
- Validate that
user2
can no longer access (404) the sub-group
Validate that project owners are banned
- Create a top-level group and a project (
project1
) under the top-level group - Create a sub-group under the top-level group and a project (
project2
) under the sub-group - Add another user (
user2
) asOWNER
toproject1
andproject2
- Validate that
user2
can accessproject1
andproject2
- In Rails console, ban the
user2
from the top-level group> namespace = Group.find_by_full_path('your_groups_actual_full_path') > user = User.find_by(username: 'your_actual_users_username') > ::Namespaces::NamespaceBan.create(user: user, namespace: namespace)
- Validate that
user2
can no longer access (404)project1
andproject2
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.