@metions should only suggest groups that are members of the current project
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
When mentioning groups in comments/merge requests etc with @... it should only show groups that are members of the current project.
I believe admins can @ mention all users or groups no matter if they are in the project or not. Not really sure why, but that's cool. As a user they can't @ mention users not members of the current proejct, however they can @ mention groups they are part of that aren't members of the current project.
Is that expected behavior?
In our GitLab use case we have different projects for different clients. This could lead to some users @ mentioning a group that isn't part of the project. I haven't tested if the notifications get sent. Either could either lead to data leaks or it could just be bad UX?
Tested on GL 8.10
Proposal
If the group/project is private, and you mention a group that is not a member, the members of that group do not receive a notification of the mention. For that reason, if a group/project is private, they should not see outside groups in the dropdown for mentions.
- Private group/project -> Only able to mention members and shared groups
- Public project but private issues/repo -> Only able to mention members and shared groups
- Public group/project -> Able to mention outside groups, members, and shared groups