Fix shared groups selection for inherited permissions
What does this MR do and why?
Contributes to #350596 (closed)
Problem
We were verifying that the user had access to the shared group. However, it didn't work for cases when user has an indirect access to the shared group.
For example, Group A is a parent of the Shared Group B. We were returning shared group only when user was a member of the Shared group. But not in the case when user was a member of the Group A.
Solution
Additionally verify that the user has an access to the shared group through group inheritance.
Database
SELECT
*
FROM
"namespaces"
INNER JOIN "project_group_links" ON "namespaces"."id" = "project_group_links"."group_id"
WHERE
"namespaces"."type" = 'Group'
AND "project_group_links"."project_id" = 278964
AND (traversal_ids && ARRAY (
SELECT
"members"."source_id"
FROM
"members"
LEFT OUTER JOIN "users" ON "users"."id" = "members"."user_id"
WHERE
"members"."type" = 'GroupMember'
AND "members"."source_type" = 'Namespace'
AND "users"."state" = 'active'
AND "members"."requested_at" IS NULL
AND "members"."invite_token" IS NULL
AND (members.access_level > 5)
AND "members"."user_id" = 1614863)::int[]);
https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/8654/commands/30741
Screenshots or screen recordings
Before | After (Group C is available) |
---|---|
How to set up and validate locally
- Create following structure
graph LR
Group_A-->Group_B;
Group_A-->Group_C;
Group_B-->Project_P;
- Give user Developer permissions to
Group_A
andProject_P
- Share
Group_C
withProject_P
- Create merge request in
Project_P
- Edit merge request
- Edit merge request and click on
Approval rules
- Click
Add approval rule
button - Click on
Add approvers
field -
Group_C
should be available for the selection
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Vasilii Iakliushin