Enable `:download_code` on project for custom roles
What does this MR do and why?
- Adds policy check on a project so that a user with a custom role based on the
GUEST
role can download code if that custom role allows it. - This is gated on the
customizable_roles
feature flag being turned on for now because we want to evaluate performance before making it generally available - The custom role check applies to a custom role anywhere within the project hierarchy. If any custom roles for that user enable
download_code
, then they can download code unless another policy check explicitly prevents that. - This is an additive-only approach. Meaning that
download_code: false
does not take away the ability for a guest user to download code on a public repository. Butdownload_code: true
enables this ability for guest users on a private repository, who by default cannot download code. - These custom roles can be defined via the API endpoints created here: !96996 (merged)
- Issue: #370088 (closed)
Screenshots or screen recordings
Screen recording of this working: https://www.youtube.com/watch?v=i4wLmgTBjZs (internal only)
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Jessie Young