Inconsistency in group/project member access to parent group

Currently, project members have implicit direct membership in the parent group. They can access it and have limited permissions.

The behaviour for group members is different: we don't grant access to the parent group.

There are other edge-cases of this inconsistency caused by how it is implemented. Eg. user Bob has access to Group_Board in the following scenario:

graph

  Group --> Subgroup
  Subgroup --> Project

  Group --> Group_Board
 
  User:Bob -->|Developer| Subgroup

However, Bob does not have access to Group_Board when Subgroup has no projects:

graph

  Group --> Subgroup

  Group --> Group_Board
 
  User:Bob -->|Developer| Subgroup

Because of group / project consolidation, we need to resolve this difference one way or the other. Either we grant access to parent groups for direct group members (which might have security implications), or we stop granting it for project members. Both might confuse some users, and this is likely going to be a breaking change.

This is discussed already in a few issues: #214755 (closed), #36658 (closed)

Edited Sep 08, 2021 by Imre Farkas