Periodically clean up invalid project and namespace visibilities
In Project#visibility_level_allowed_by_group?
, we prevent a project having a higher visibility level than its group.
In Group#visibility_level_allowed_by_{parent,projects,sub_groups}?
we prevent subgroups having higher visibility levels than their parents.
However, we do have some projects in this state. I found some in gitlab-com/gl-infra/scalability#233 (comment 318452872), and here's a simple query to show a minimal case: projects that are public on GitLab.com, inside immediate parent groups that are private.
gitlabhq_production=> SELECT date_trunc('year', projects.created_at) AS year, COUNT(*) FROM projects INNER JOIN namespaces ON projects.namespace_id = namespaces.id WHERE projects.visibility_level = 20 AND namespaces.visibility_level != 20 GROUP BY year ORDER BY year DESC;
year | count
------------------------+-------
2020-01-01 00:00:00+00 | 4
2019-01-01 00:00:00+00 | 19
2018-01-01 00:00:00+00 | 31
2017-01-01 00:00:00+00 | 161
2016-01-01 00:00:00+00 | 1
2015-01-01 00:00:00+00 | 1
(6 rows)
This should be fixable automatically with something like GitLab Doctor (&2819) - we can just mark anything inside a private group as private. This is safe and although there might be very rare cases where it's surprising, I think it's more likely that those projects being publicly-visible now is surprising.