Skip to content

Add group setting to control whether guest users can view source code in private projects

What does this MR do?

This merge request adds a new setting at the group level, configuring whether guests should be able to see repository source code and merge requests. The default behaviour remains the same, with only reporters and higher being able to see source code.

It directly resolves #20277 (closed).

This merge request changes the behaviour of permissions, thus a member of security will need to review it.

Screenshots (strongly suggested)

The new setting under group settings:

image

I have also updated the relevant documentation:

image

image

Does this MR meet the acceptance criteria?

Conformity

Availability and Testing

Security

If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:

  • Label as security and @ mention @gitlab-com/gl-security/appsec
    • I can't modify the labels, and the bot is ignoring the command to add the security label. I will need someone with appropriate access to do this for me.
  • The MR includes necessary changes to maintain consistency between UI, API, email, or other methods
  • Security reports checked/validated by a reviewer from the AppSec team
Edited by June Rhodes

Merge request reports

Loading