Implement backend for a read-only "Auditor" user
Tasks
-
PoC -
Write a PoC -
Write a small post describing the implementation strategy -
Get strategy vetted
-
-
Backend -
Auditor should be able to access all projects / groups -
Restrictions -
Cannot commit -
Cannot access admin area -
Can read issues / MRs -
Cannot create / comment on issues / MRs -
Can read all files in the repository -
Cannot create/modify files from the Web UI -
Cannot merge a merge request -
Cannot fork a project -
Cannot create a project -
Cannot access project settings -
Cannot create project snippets -
Can read project snippets -
Cannot access group settings -
Can access projects that are: -
Private -
Public -
Internal
-
-
-
Verify that no accessible pages are breaking -
Does the migration need downtime? -
Auditor's dashboard should display all projects -
External users? -
Read-only API access -
Do we need to add an auditor check anywhere else? Finders?
-
-
Tests -
Added -
Policies -
Finders -
"user cannot be auditor and admin" -
User cannot access admin area -
User cannot access project settings
-
-
Passing
-
-
Refactoring -
Meta -
CHANGELOG entry created -
Documentation created/updated -
API support added -
Branch has no merge conflicts with master
-
Squashed related commits together -
Check for clean merge with EE -
Added screenshots
-
-
Final sanity check -
Merge requests -
Issues -
Project snippets -
Snippets -
Groups -
Milestones (group/project) -
Labels (group/project) -
Pipelines -
Repository
-
-
Review -
Miniboss (@jameslopez) -
Group creation should be blocked -
Extract a admin_or_auditor
method -
create(:admin)
instead ofcreate(:user, :admin)
-
"group each logical step and separate the assigning part from the expectation" (snippets_finder_spec) -
add more expectations here to make sure any write operation is excluded (group_policy_spec) -
write a description to it (namespace_policy_spec) -
make let(:owner_permissions)
shorter (namespace_policy_spec) -
use %i here, to save some colons and commas (project_policy_spec) -
Improve group_projects_finder_spec
-
-
Endboss (@DouweM) -
add_column_with_default
needs adown
block -
View conditional tweak -
Change doc version to 8.17 (typo) -
Add auditor specs to spec/features/security
-
Retest migration -
Make sure UI works okay after refactoring -
Make sure CE backport branch merges cleanly (or no conflicts are from this feature) with EE MR branch
-
-
-
UI -
User cannot be admin and auditor -
Cleanup -
Group show
page shouldn't show theNew Project
button
-
-
-
Wait for merge
- Closes #1439 (closed)