Hide invited group name and source from project/group non-admins
What does this MR do and why?
If a group invited to a project/group is not visible to the current user we mask the source. The visibility was determined by:
- The current user can read the invited group.
- The current user is a member of the shared group.
We're changing point 2 above to:
The current user is the admin of the shared group/project i.e. having at least maintainer access in the shared project or having owner access in the shared group.
!146995 (merged) will update the relevant documentation.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Before | After |
---|---|
How to set up and validate locally
- Using
user1
create a public group calledPublic group
and create a private group calledPrivate group
. - Invite
Private group
toPublic group
with any access by using the Invite a group button on thePublic group
membership page. - Add
user2
toPublic group
with Developer access. - Login user
user2
and navigate to the membership page of thePublic group
. See the group tab and the invited group name and source will be masked. - Change the access level of
user2
from Developer to Owner. The invited group name won't be masked anymore.
Related to https://gitlab.com/gitlab-org/gitlab/-/issues/451415
Edited by Abdul Wadood