Fix `admin_merge_request` custom role when the feature is private
What does this MR do and why?
Allow guest users to see merge requests when the "merge requests feature" is set as private which only allows project members to see the pages related to merge requests.
How to set up and validate locally
- In Rails console, enable the
admin_merge_requestFF for a project.Feature.enable(:admin_merge_request, project) - Change the "merge requests" feature to be private(members only) for that project by using the "project settings page"("Visibility, project features, permissions" section).
- Create a guest member for that project.
- Create a member role that enables the
admin_merge_requestpermission for the top-level group and copy the ID of the created entity.curl --location 'https://gdk.test:3443/api/v4/groups/$top-level-group-id/member_roles' \ --header 'Authorization: Bearer $access-token' \ --header 'Content-Type: application/json' \ --data '{ "base_access_level": 10, "admin_merge_request": true }' - Assign that recently created member role to the guest user.
curl --location --request PUT 'https://gdk.test:3443/api/v4/projects/$project-id/members/$guest-user-id' \ --header 'Authorization: Bearer $access-token' \ --header 'Content-Type: application/json' \ --data '{ "access_level": 10, "member_role_id" : $recently-created-member-role-id }' - Login as that guest user
- Try to access merge requests of the project
- Verify that you can't access the merge requests of the project
- Checkout this branch
- Try to access merge requests of the project
- Verify that you can access the merge requests of the project
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.