PoC: Role-Based Access Control for GitLab Pages

Role-Based Access Control for GitLab Pages

This enhancement introduces role-based access control for GitLab Pages within private projects. It consists of two key components: updates to GitLab project custom role permissions and modifications to GitLab Pages authorisation.

GitLab Project Changes

API Enhancements

Modify /api/v4/projects/[PROJECT_ID]/pages_access to return the role assigned to a user for the project (e.g., Guest, Maintainer).
This ensures a standardised way to determine user permissions without requiring additional role definitions.

GitLab Pages Changes

1. Introducing the `_access` File

A new _access file will define access rules for specific paths within a project.
The file format will follow GitLab’s codeowners syntax for consistency.
This structure maps paths to roles, ensuring pages remain public by default unless explicitly protected.

Example _access file:

/blog/* @reporter 
/dashboard/* @developer 
/editor/* @maintainer @owner

Roles correspond to existing GitLab project roles including custom roles.
Paths without a specified rule remain accessible by default.

2. Authorisation Middleware Updates

Modify AuthorizationMiddleware to:
- Fetch the user’s maximum role from the pages_access API.
- Read the _access file and determine if the user’s role is sufficient for the requested path.
- Serve content only if access is permitted.
If _access is missing, default to the current behaviour.

Key Benefits of This Approach

✅ Utilises existing GitLab permissions, making adoption seamless.
✅ Follows codeowners-style syntax, which is already familiar to GitLab users.
✅ Ensures backward compatibility, with unrestricted access unless explicitly defined.

Edited Mar 17, 2025 by Naman Jagdish Gala