Allow beta access to licenses list
What does this MR do?
In order to test the back end endpoints in production, we need to globally enable the licenses_list
feature toggle. I would like to avoid globally enabling this feature flag in production because we are still working on both backend and front end development because the work for the new License Compliance page is not GA.
The change in this MR allows us to enable the licenses_list
feature flag on a specific project so that we can slowly roll out access to the license compliance page.
In order to complete #34824 (closed), #34825 (closed), #34826 (closed) I need to ensure that the JSON endpoint is reachable and functioning as expected. I was able to test this endpoint in staging because the feature flag was globally enabled their. However, in production I want to enable this feature for a specific project. To accomplish this, I thought I could enable the licenses_list
feature flag for a specific project in production. I used chatops to enable the feature.
I found that enabling the feature flag isn't enough. The default authorize_*
handler defined in the Projects::ApplicationController
will delegate to Ability.allowed?(current_user, :read_licenses_list, project)
. The way that the policy for the read_licenses_list
claim is set up, requires the project to have a licensed feature named licenses_list
and a licensed feature named license_management
. The license_management
is a known licensed feature. However, licenses_list
is not. I believe licenses_list
was meant to be created as a feature toggle but is currently being treated as a separate feature that is licensed independently from license_management
. I don't think that licenses_list
is meant to be a separate licensed feature as this work is an extension of the current license_management
offering.
To make it possible for us to test the backend endpoints in production, I have switched from project.feature_available?(:licenses_list)
to project.beta_feature_available?(:licenses_list)
which will allow us to enable a feature flag for a specific project to test with.
Does this MR meet the acceptance criteria?
Conformity
- [-] Changelog entry
- [-] Documentation (if required)
-
Code review guidelines -
Merge request performance guidelines -
Style guides - [-] Database guides
-
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. - [-] Tested in all supported browsers
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
- [-] Label as security and @ mention
@gitlab-com/gl-security/appsec
- [-] The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
- [-] Security reports checked/validated by a reviewer from the AppSec team