Skip to content

[draft] POC: Add Owner role to Project

What does this MR do and why?

Experiment for adding Owner role to (Group) Projects as well as Groups.

Personal namespace projects are still unaffected and the namespace owner is still shown as Maintainer. We will have to address that at some point. (edit: it's being addressed !80825 (merged))

Membership still needs moving to ProjectNamespace but that is being done in a separate but parallel initiative.

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

Level 1: make someone else an Owner of a group project

  1. View members page under Project Information under any project under a group (NOT a personal namespace project)

  2. Add an existing user with Owner status via the form (email presumably works too, I didn't try it)

image

image

  1. See new member has Owner status, and original owner also is owner!

image

  1. Notes also include the badge annotation

image

Level 2 Verify Owner permissions

  1. Create some issue under the project.

  2. As an Admin, visit the user's profile in the Admin view

Owner access shown next to the project 👍

image

  1. Impersonate them.

image

  1. See the Delete button, only available to Owners!

image

  1. In console, you can verify that your User can now do things:
> p = Project.find <ID of the project>
> u = User.find <ID of the new Owner user>
> i = Project.issues.last
> Ability.allowed?(u, :delete_issue, i)
#=> true
policy debugger output
[4] pry(main)> ip = IssuePolicy.new(u, i)
=> #<IssuePolicy (@tomasa.hegmann : Issue/498)>
[5] pry(main)> ip.debug(:destroy_issue)
- [0] prevent when all?(anonymous, ~public_project) ((@tomasa.hegmann : Project/35))
- [14] prevent when all?(archived, ~pending_delete) ((@tomasa.hegmann : Project/35))
- [21] prevent when all?(confidential, ~can_read_confidential) ((@tomasa.hegmann : Issue/498))
  ProjectFeature Load (11.5ms)  SELECT "project_features".* FROM "project_features" WHERE "project_features"."project_id" = 35 LIMIT 1 /*application:console,db_config_name:main,line:/home/charlie/.rbenv/gems/2.7.0/gems/marginalia-1.10.0/lib/marginalia/comment.rb:25:in `block in construct_comment'*/
- [28] prevent when issues_disabled ((@tomasa.hegmann : Project/35))
- [28] prevent when all?(~public_project, ~internal_access, ~project_allowed_for_job_token) ((@tomasa.hegmann : Project/35))
+ [58] enable when can?(:owner_access) ((@tomasa.hegmann : Project/35))
=> #<DeclarativePolicy::Runner::State:0x0000558f005d1260
 @called_conditions=
  #<Set: {"/dp/condition/DeclarativePolicy::Base/anonymous/User:9",
   "/dp/condition/ProjectPolicy/archived/Project:35",
   "/dp/condition/IssuePolicy/confidential/Issue:498",
   "/dp/condition/ProjectPolicy/issues_disabled/User:9,Project:35",
   "/dp/condition/ProjectPolicy/public_project/Project:35",
   "/dp/condition/BasePolicy/admin/User:9",
   "/dp/condition/BasePolicy/auditor/User:9",
   "/dp/condition/ProjectPolicy/needs_new_sso_session/User:9,Project:35",
   "/dp/condition/ProjectPolicy/owner/User:9,Project:35",
   "/dp/condition/BasePolicy/visual_review_bot/User:9",
   "/dp/condition/BasePolicy/security_bot/User:9",
   "/dp/condition/BasePolicy/alert_bot/User:9",
   "/dp/condition/BasePolicy/support_bot/User:9",
   "/dp/condition/BasePolicy/external_authorization_enabled",
   "/dp/condition/DeclarativePolicy::Base/default"}>,
 @enabled=true,
 @prevented=false>

Do something now permissable

  1. Delete an issue impersonating that person, which is possible as an Owner but not a Maintainer in a group project

image

  1. success! issue gone! 🚀

image

Personal namespace projects unaffected

image

image

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #241503 (closed)

Edited by charlie ablett

Merge request reports

Loading