Support private groups in merge request approval rules
Description
A bug occurs when projects allowed rule override, and has a project rule set up, and only a private group is added as approver. When a MR is created by a user who cannot see the private group, the project default approvers is missing and the MR is treated as approved. This is because we hide the private groups from the user, but this causes them to be missing in the form submission.
Objective
- Private groups are always hidden from users who are not privileged to see them.
- Private groups can be added to approval rules by users who can see them.
- Private groups can be removed by any user, but the information regarding the group is hidden to unprivileged users (it looks like a regular group to privileged users).
Note: Adding a private group to an approval rule could expose the fact that a certain list of members are related, but the name
and id
of the group will be hidden.
Proposal
folder-o
icon is using $grey-500
and the question-o
icon is using $grey-700
.
During merge request create / edit, if the BE detects that a rule has groups that are private to the current user, the BE will pass along a flag (e.g. rule.contains_hidden_groups
). Users can then work with the rules normally, adding / removing groups and users that are visible to them.
If the contains_hidden_groups
flag is true, the UI will show a "Hidden" group in the rule edit (note that if two private groups are added, there is only one "Hidden" group shown). The user can delete this "Hidden" group which when submitted, will send to the BE a flag remove_hidden_groups
.
In the BE, when a rule is submitted or updated and the remove_hidden_groups
flag is not present, then the private groups need to be concatenated to the new member submission.