Preventing blocked users and their PipelineSchdules from creating new Pipelines
What does this MR do?
This MR fixes #47756 (closed) by creating a rule to prevent :create_pipeline
for blocked users who still have a project authorization. Currently any active PipelineSchedule still creates a pipeline on their behalf. This update doesn't directly implement a notification to inform the other group users of the Pipeline-create failure, but implements the same type of failure as if as the ProjectAuthorization had been removed. Notifications for schedule Pipeline-create failures are an open issue (#54618 (moved)), so I propose keeping the scope of this MR narrow and prioritizing the notification issue to write a more general solution.
I'm also adding handful of specs in different places to assert the behavior that we're expecting around the failure in the specific case of a blocked user.
EE MR: https://gitlab.com/gitlab-org/gitlab-ee/merge_requests/13961
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation created/updated or follow-up review issue created -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Performance and testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team