[draft] POC: Add Owner role to Project
What does this MR do and why?
Experiment for adding Owner role to (Group) Projects as well as Groups.
Personal namespace projects are still unaffected and the namespace owner is still shown as Maintainer
. We will have to address that at some point. (edit: it's being addressed !80825 (merged))
Membership still needs moving to ProjectNamespace but that is being done in a separate but parallel initiative.
Screenshots or screen recordings
These are strongly recommended to assist reviewers and reduce the time to merge your change.
How to set up and validate locally
Level 1: make someone else an Owner of a group project
-
View members page under
Project Information
under any project under a group (NOT a personal namespace project) -
Add an existing user with Owner status via the form (email presumably works too, I didn't try it)
- See new member has Owner status, and original owner also is owner!
- Notes also include the badge annotation
Level 2 Verify Owner permissions
-
Create some issue under the project.
-
As an Admin, visit the user's profile in the Admin view
Owner access shown next to the project
- Impersonate them.
- See the Delete button, only available to Owners!
- In console, you can verify that your User can now do things:
> p = Project.find <ID of the project>
> u = User.find <ID of the new Owner user>
> i = Project.issues.last
> Ability.allowed?(u, :delete_issue, i)
#=> true
policy debugger output
[4] pry(main)> ip = IssuePolicy.new(u, i)
=> #<IssuePolicy (@tomasa.hegmann : Issue/498)>
[5] pry(main)> ip.debug(:destroy_issue)
- [0] prevent when all?(anonymous, ~public_project) ((@tomasa.hegmann : Project/35))
- [14] prevent when all?(archived, ~pending_delete) ((@tomasa.hegmann : Project/35))
- [21] prevent when all?(confidential, ~can_read_confidential) ((@tomasa.hegmann : Issue/498))
ProjectFeature Load (11.5ms) SELECT "project_features".* FROM "project_features" WHERE "project_features"."project_id" = 35 LIMIT 1 /*application:console,db_config_name:main,line:/home/charlie/.rbenv/gems/2.7.0/gems/marginalia-1.10.0/lib/marginalia/comment.rb:25:in `block in construct_comment'*/
- [28] prevent when issues_disabled ((@tomasa.hegmann : Project/35))
- [28] prevent when all?(~public_project, ~internal_access, ~project_allowed_for_job_token) ((@tomasa.hegmann : Project/35))
+ [58] enable when can?(:owner_access) ((@tomasa.hegmann : Project/35))
=> #<DeclarativePolicy::Runner::State:0x0000558f005d1260
@called_conditions=
#<Set: {"/dp/condition/DeclarativePolicy::Base/anonymous/User:9",
"/dp/condition/ProjectPolicy/archived/Project:35",
"/dp/condition/IssuePolicy/confidential/Issue:498",
"/dp/condition/ProjectPolicy/issues_disabled/User:9,Project:35",
"/dp/condition/ProjectPolicy/public_project/Project:35",
"/dp/condition/BasePolicy/admin/User:9",
"/dp/condition/BasePolicy/auditor/User:9",
"/dp/condition/ProjectPolicy/needs_new_sso_session/User:9,Project:35",
"/dp/condition/ProjectPolicy/owner/User:9,Project:35",
"/dp/condition/BasePolicy/visual_review_bot/User:9",
"/dp/condition/BasePolicy/security_bot/User:9",
"/dp/condition/BasePolicy/alert_bot/User:9",
"/dp/condition/BasePolicy/support_bot/User:9",
"/dp/condition/BasePolicy/external_authorization_enabled",
"/dp/condition/DeclarativePolicy::Base/default"}>,
@enabled=true,
@prevented=false>
Do something now permissable
- Delete an issue impersonating that person, which is possible as an Owner but not a Maintainer in a group project
- success! issue gone!
🚀
Personal namespace projects unaffected
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #241503 (closed)