Organization Users - Use proper permissions
What does this MR do and why?
The grouptenant scale team is starting to build out an Organization MVC. For more information about what an "Organization" will be see https://docs.gitlab.com/ee/architecture/blueprints/organization/
Fixes concern raised here: #409313 (comment 1659731657)
The GraphQL Endpoint for Organization Users utilizes the permission read_organization_user while the UI currently uses read_organization. This is a disconnect and the UI should also be using the stricter read_organization_user permission.
This change aligns the two.
This change is behind a feature flag (:ui_for_organizations)
Screenshots or screen recordings
Signed in as a user of the organization
No changes
| Before | After |
|---|---|
 |
|
Signed in as a user that is not part of the organization
| Before | After |
|---|---|
 |
 |
How to set up and validate locally
- Open the Rails console
bin/rails console
- Enable FF
Feature.enable(:ui_for_organizations)
- Add yourself to the default organization
Organizations::OrganizationUser.create!(user_id: User.find_by_username(<your username>).id, organization_id: 1)
With Permissions
- Sign in with the user you added as an organization user above
- Go to Default Organization path (
http://127.0.0.1:3000/-/organizations/default) - In left nav, click Manage => Users
- Ensuring Loading icon temporarily and then once complete the Users Table appears
Without Permissions
- Impersonate another user
- Go to Default Organization path (
http://127.0.0.1:3000/-/organizations/default) - Ensure left nav does not have the Manage => Users option
- Ensuring directly going to the path 404s (
http://127.0.0.1:3000/-/organizations/default/users)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.