Skip to content

Hide invited group name and source from project/group non-admins

Abdul Wadood requested to merge 144638-mask-group-detail-from-non-owners into master

What does this MR do and why?

If a group invited to a project/group is not visible to the current user we mask the source. The visibility was determined by:

  1. The current user can read the invited group.
  2. The current user is a member of the shared group.

We're changing point 2 above to:

The current user is the admin of the shared group/project i.e. having at least maintainer access in the shared project or having owner access in the shared group.

!146995 (merged) will update the relevant documentation.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Before After
image image

How to set up and validate locally

  1. Using user1 create a public group called Public group and create a private group called Private group.
  2. Invite Private group to Public group with any access by using the Invite a group button on the Public group membership page.
  3. Add user2 to Public group with Developer access.
  4. Login user user2 and navigate to the membership page of the Public group. See the group tab and the invited group name and source will be masked.
  5. Change the access level of user2 from Developer to Owner. The invited group name won't be masked anymore.

Related to https://gitlab.com/gitlab-org/gitlab/-/issues/451415

Edited by Abdul Wadood

Merge request reports

Loading