Adding parent group to protected environments, tags, branches results in error
Summary
In order to resolve this issue, we recently merged the following merge request which includes "related groups" in access dropdowns for protected environments, tags, and branches.
After this change, parent groups are considered "related groups" and are selectable by default in the access dropdowns for protected environments, tags, and branches. However in order to add a group to a protected environment, tag, or branch, the following must apply:
- The user configuring the protected environment/tag/branch must be a direct member of the group or subgroup to be added.
- You can only select groups that are already invited to the project.
This becomes a problem because it is currently not possible to invite a parent group to a project. For example, lets say you have the following group/project structure:
top-level group > subgroup-a > project-a
In this case, project-a
can not invite subgroup-a
or top-level group
. However you can invite top-level group > subgroup-a > subgroup-b
.
Typically, a group would not be listed in the access dropdown unless it satisfies both of the above requirements. However this recent change now lists parent groups by default which are unable to satisfy both requirements. When adding a parent group to a protected environment, tag, or branch, the group will be invalid resulting in the following errors:
Protected Environment:
-
UI:
Failed to protect the environment
-
Browser Console:
{"message":["Deploy access levels is too short (minimum is 1 character)"]}
Protected Tag:
-
Upon Tag creation:
You are not allowed to create this tag as it is protected.
Protected Branch:
-
Upon Commit:
You can't push to the main branch. Do you want to commit your changes to a new branch?
Steps to reproduce
Protected Environment:
- Create the following groups/projects:
top-level group > subgroup-a > project-a
- Ensure that you have direct access to
top-level group
andsubgroup-a
. - Attempt to invite
top-level group
and/orsubgroup-a
toproject-a
. - Confirm that parent groups (
top-level group
/subgroup-a
) can not be invited to the project. - Attempt to protect a environment.
- Add either
top-level group
orsubgroup-a
underAllowed to deploy
and/orApprovers
. - Click Protect.
- Observe errors noted above.
Protected Tag:
- Repeat steps 1-4 from
Protected Environment
. - Create a protected tag with either
top-level group
orsubgroup-a
added toAllowed to create
. - Create a new tag matching your protected tag settings.
- Observe errors noted above.
Protected Branch:
- Repeat steps 1-4 from
Protected Environment
. - Create a protected branch with either
top-level group
orsubgroup-a
added toAllowed to merge
andAllowed to push and merge
. - Attempt to Push/Merge to the protected branch.
- Observe error noted above.
What is the current bug behavior?
Adding a parent group considered a "related group" to a protected environment, tag, or branch results in error.
What is the expected correct behavior?
Parent groups either should not be listed as "related groups" unless they can be invited to the project.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com