Support private groups in merge request approval rules
A bug occurs when projects allowed rule override, and has a project rule set up, and only a private group is added as approver. When a MR is created by a user who cannot see the private group, the project default approvers is missing and the MR is treated as approved. This is because we hide the private groups from the user, but this causes them to be missing in the form submission.
- Private groups are always hidden from users who are not privileged to see them.
- Private groups can be added to approval rules by users who can see them.
- Private groups can be removed by any user, but the information regarding the group is hidden to unprivileged users (it looks like a regular group to privileged users).
Note: Adding a private group to an approval rule could expose the fact that a certain list of members are related, but the
id of the group will be hidden.
folder-o icon is using
$grey-500 and the
question-o icon is using
During merge request create / edit, if the BE detects that a rule has groups that are private to the current user, the BE will pass along a flag (e.g.
rule.contains_hidden_groups). Users can then work with the rules normally, adding / removing groups and users that are visible to them.
contains_hidden_groups flag is true, the UI will show a "Hidden" group in the rule edit (note that if two private groups are added, there is only one "Hidden" group shown). The user can delete this "Hidden" group which when submitted, will send to the BE a flag
In the BE, when a rule is submitted or updated and the
remove_hidden_groups flag is not present, then the private groups need to be concatenated to the new member submission.