Skip to content

Draft: POC to Add Project Member Access Checks in E2E Framework for Project Authorization Refreshes

Valerie Burton requested to merge project-auth-check-poc into master

What does this MR do and why?

Due to updates with the way project authorizations will work, there may be a slight delay between when a user is added as a member to a project and when a user actually has the proper access to a project. This can cause flakiness in our tests if, after adding a member, we attempt to continue testing before the Sidekiq job to refresh the authorization has had a chance to finish: !92333 (comment 1033648348)

This POC does the following:

  1. On creation of a project, an issue is created that will be used to check whether project authorization refresh is complete. I decided to choose issues because it is a feature that is available on all tiers and requires minimal setup.
  2. When a user is added as a member to a project (via API for now), they will perform an action on the issue depending on their role to verify they have the proper access before continuing.
    1. If a user is being added as a guest, a request is sent to GET /projects/:id/issues/:issue_iid to verify they can view an issue
    2. If a user is being added as a reporter or above, a request is sent to PUT /projects/:id/issues/:issue_iid to close or reopen an issue, depending on its state
    3. NO_ACCESS and MINIMAL_ACCESS are not considered here, as they are not valid options for adding a project member
  3. This member access check can be controlled by setting an attribute on the project resource called check_member_access. That way, we only need to create the issue & perform these extra steps for tests that add a member to a project, since not all tests do.

This is only a POC for now and only covers adding a project member via API

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Valerie Burton

Merge request reports

Loading