Add project.group to group list when specified as owner
In the latest release, we allowed CODEOWNERS
rules (https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/346) to be applied to web-based requests (such as Web IDE and file edits.) These web-requests include Merge actions ("clicking the Merge button") as well. This wider usage uncovered a bug in how we compare the user taking the action to the list of owners for a given path, specifically when the owner is the group under which the project lives (such as @gitlab-org
for the
Gitlab project..)
Prior to this change, Gitlab::CodeOwners::GroupsLoader
did not add that
group to the list of groups extracted from the incoming CODEOWNERS
text and associated with the project. This
list of groups is in turn expanded into a list of users that the user
attempting the action (typically a merge) is compared to. Since the
project's group is not added to the group list, its members are not
expanded and are thus missing from the list of owners for a given path.
So, for a project such as cool-team/awesome
, a path marked as owned by the @cool-team
group would never be extracted from CODEOWNERS
, and so it's members would fail to be recognized as having the ability to complete the merge.
This bug lead to a production incident (#216345) when codeowner rules were enabled for web requests, forcing us to do a hot-fix on 1 May.