Skip to content

Resolve "Allow project-group sharing with OWNER access"

Manoj M J requested to merge 233408-gitlab-com-api-get-400-bad-request-response-trying-to-share-project-with-group into master

What does this MR do and why?

With this MR, we are support a project-group link to be shared with OWNER access level. Currently, only levels upto MAINTAINER is supported while sharing a project to a group.

A project-group share happens when you invite a group to the project, via UI or API:

Screenshot_2023-12-04_at_3.48.14_PM

However, when we start supporting OWNER access levels to project-group shares, there are a few more security considerations we should make.

The context for this is: both an OWNER and a MAINTAINER in a project can create, update or destroy project group links. However, when we support OWNER access levels for project-group shares, we should make sure that a MAINTAINER in a project cannot make modifications to an existing project-group share with OWNER access levels. This can have security implications, like elevated access. (A rouge maintainer in a project can invite another group with OWNER access to this project, there by gaining OWNER permission in the project. Later, they could delete this project.)

To prevent this from happening, we make sure that:

  • Only OWNERS in the project can create, update or modify project group links with OWNER access.
  • Maintainers in the project cannot create, update or modify project group links with OWNER access. However, they can continue to create, update or modify project group links where access_level is less than OWNER.

This is sync with policies we already have for project maintainers elsewhere: For example, a maintainer in a project cannot invite a new member with OWNER access. Only a project OWNER can do this.

Screenshots or screen recordings

As an OWNER in a project:

  • you can create a new project-group link with OWNER access:

Screenshot_2023-12-04_at_3.35.59_PM

  • you can modify a project-group link with existing OWNER access - ie, change expiry, access level or delete it.

Screenshot_2023-12-04_at_3.36.16_PM

As a MAINTAINER in a project:

  • you can create a new project group link, but without OWNER access:

Screenshot_2023-12-04_at_3.44.40_PM

  • you can edit or delete an existing project group link that has less than OWNER access. You cannot edit or delete an existing project with OWNER access.

Screenshot_2023-12-04_at_3.58.17_PM

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  • Create a new project within any group named MyProject as root user.

  • Create a new group, MyGroup at the root level as root user.

  • In MyProject

    • Add 2 new members of varying access level:
      • Bob (Maintainer), Max (Owner)
    • Setup a project-group link with MyGroup with Developer access level.

  • In MyGroup

    • Add Jacob as Owner.

  • Login as Bob, access MyProject. Setup a project-group share (Invite group) with any group listed in the dropdown. (If there isn't any, Bob can create a root group) Observe that:

    • OWNER access level is not listed in the dropdown.
    • Link creation is successful.
    • Bob can update the link's expiry and access level, but only upto MAINTAINER, OWNER level is not listed.
    • Bob can destroy the link.
    • Setup the same link once more, if deleted, so that Max can test it below

  • Login as Max, access MyProject. Setup a project-group share with any group listed in the dropdown. (If there isn't any, Max can create a root group) Observe that:

    • OWNER access level is listed in the dropdown.
    • Link creation is successful with OWNER access level.
    • Max can update the link's expiry and access level and OWNER level is listed.
    • Max can destroy the link.
    • Max can also update or destroy the link Bob created above.
    • Keep a project-group link with OWNER access level intact, without destroying it.

  • Login as Bob again. Observe that:

    • The project-group link with OWNER access created by Max is not updatable or destroyable by Bob.

  • Login as Jacob, access MyProject Observe that:

    • Jacob is unable to update the project-group link with MyGroup
    • But, Jacob is able to destroy the project-group link with MyGroup, only because Jacob is the OWNER of MyGroup

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #233408 (closed)

Edited by Manoj M J

Merge request reports