Support restricted visibility level in fork form
What does this MR do?
This MR adds support for "restricted visibility level". When a "restricted visibility level" is selected, it will disable that visibility level in the fork form.
| restricted visibility level |
Private | Internal | Public |
|---|---|---|---|
| Private (0) | disabled | - | - |
| Internal (10) | - | disabled | - |
| Public (20) | - | - | disabled |
Further disabled state of the visibility level also depends on the fork from project and namespace.
Example
In this example, both our project and namespace are public. The Internal is selected as the Restricted visibility levels. That means in our visibility level, the internal option is disabled and can't be selected.
| Restricted visibility levels | Project | Namespace | Visibility Level |
|---|---|---|---|
 |
Public | Public |  |
⚠ UX Assumptions!
1. Private is NOT disabled if all restrictedVisibilityLevel has been checked
There are instances when all visibility levels would be disabled, rendering no visibility can be selected (that's no good as visibility is a required field and a level must be checked). For example:
Project = private | Namespace = private | restrictedVisibilityLevel = private (0)
In this case, I'm going to ignore the restrictedVisibilityLevel and set the visibility level to be "Private"
| Restricted visibility levels | Visibility Level |
|---|---|
 |
 |
2. If one or more restrictedVisibilityLevel is selected, auto visibility level won't be checked
Currently, the visibility level checked will correspond with that of the project. And when a new namespace is selected, it will rest to the Private option per this MR change > !62306 (merged).
In this MR, we make the above behaviour only exists when there is no restrictedVisibilityLevel selected. When restrictedVisibilityLevel is selected, the visibility will be null. And the user will have to manually make the selection.
I agree this behaviour is not great. It should be smarter. Ideally, it should pre-populate with the visibility that corresponds with the project IF it's not restricted, otherwise it will be null or pre-populated with the next highest visibility level that is not restricted. As you may guess, this smarter behaviour will require additional logic. I think we can work iteratively here and make the improvements in a follow-up. I'll append this to an existing issue > #331620.
Testing Case
This feature is behind a Feature Flag, to turn on:
Feature.enable(:fork_project_form)To set the "restricted visibility level", you need to navigate to the admin panel:
-
The disabled state of the visibility level will correspond with the "restricted visibility level" -
If all "restricted visibility level" is selected, then only the 'Private' will be selectable -
If one or two "restricted visibility level" are selected, then the initial visibility level will be null(no radio button is checked).
| Restricted visibility levels | Visibility |
|---|---|
 |
 |
 |
 |
 |
 |
 |
|
Screenshots (strongly suggested)
Does this MR meet the acceptance criteria?
Conformity
-
I have included a changelog entry, or it's not needed. (Does this MR need a changelog?) -
I have added/updated documentation, or it's not needed. (Is documentation required?) -
I have properly separated EE content from FOSS, or this MR is FOSS only. (Where should EE code go?) -
I have added information for database reviewers in the MR description, or it's not needed. (Does this MR have database related changes?) -
I have self-reviewed this MR per code review guidelines. -
This MR does not harm performance, or I have asked a reviewer to help assess the performance impact. (Merge request performance guidelines) -
I have followed the style guides.
Availability and Testing
-
I have added/updated tests following the Testing Guide, or it's not needed. (Consider all test levels. See the Test Planning Process.) -
I have tested this MR in all supported browsers, or it's not needed. -
I have informed the Infrastructure department of a default or new setting change per definition of done, or it's not needed.
Security
Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.
-
Label as security and @ mention @gitlab-com/gl-security/appsec -
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Related to #329575 (closed)