Fix retrieving custom roles available for a group
What does this MR do and why?
It fixes retrieving custom roles available for a group.
What we did before this MR
We were checking permission to admin custom roles (admin_member_role
) against the custom roles group, which is always a root group and only an owner of that group can admin custom roles.
What is the problem
A user who is not a root group owner can still assign members to subgroups/projects if they are subgroup owners or project maintainers. And these users should also be able to assign custom roles in "their" groups/subprojects
What we do after this change
We check a new permission read_member_role
for a group/project a user is actually requesting custom roles for. They have this permission whenever they are able to add/change/remove a group/project member.
More details inline
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Before | After |
---|---|
How to set up and validate locally
Preparation
- Find/create a group with subgroup and project in that subgroup
Subgroup
- Pick/create a user who is an owner in the subgroup but not in the root group
- Impersonate that user
- Go to the subgroup members page and try to add a user/change a user role/add a group
- Make sure you can see the available custom roles
- You can also test the mutation itself (see below)
- Try the same with the root group owner (you should see the custom roles, get them using the mutation) and a user with a lower role (you should not be able to add/change members and the mutation should not return any custom roles)
query {
group(fullPath: "flightjs/flight-subgroup") {
id
name
memberRoles {
nodes {
id
name
}
}
}
}
Project
- Pick/create a user who is a maintainer in the project but not the owner in the root group/subgroup
- Impersonate that user
- Go to the project members page and try to add a user/change a user role/add a group
- Make sure you can see the available custom roles
- You can also test the mutation itself (see below)
- Try the same with the root group owner/maintainer (you should see the custom roles, get them using the mutation) and a user with a lower role (you should not be able to add/change members and the mutation should not return any custom roles)
query {
project(fullPath: "flightjs/flight-subgroup/sub-project") {
id
name
memberRoles {
nodes {
id
name
}
}
}
}
Related to #454360 (closed)