Docs feedback: Permissions table is potentially outdated
https://docs.gitlab.com/ee/user/permissions.html#group-members-permissions
Through trial-and-error I discovered that the List group deploy tokens permission actually requires Owner role, and Maintainer is insufficient.
It might have been that the required permissions were changed at some point? Currently in the UI front-end code, we have this:
- if can?(current_user, :admin_group, @group)
- deploy_token_description = s_('DeployTokens|Group deploy tokens allow access to the packages, repositories, and registry images within the group.')
= render "shared/deploy_tokens/index", group_or_project: @group, description: deploy_token_description
= render "default_branch", group: @groupthe :admin_group permission seems to be a group policy for Owner:
rule { owner }.policy do
enable :admin_groupAnd testing this on a 16.8 instance with Rails:
Testing Ability.allowed? for my test user bob in my test project @testing/subgroup-memberships/appdev/billing on my test VM:
------------------------------------------------------------[ booted in 79.96s ]
Loading production environment (Rails 7.0.8)
irb(main):001:0> bob = User.find(4)
=> #<User id:4 @bob>
irb(main):002:0> action = :admin_group
=> :admin_group
irb(main):003:0> group = Group.find(31)
=> #<Group id:31 @testing/subgroup-memberships/appdev/billing>
irb(main):004:0> Ability.allowed?(bob, action, group)
=> falseSet the Group Max role, and Bob's role in the group, to Owner:
irb(main):005:0> Ability.allowed?(bob, action, group)
=> trueSet Bob's role back to Maintainer (Group still Owner)
irb(main):006:0> Ability.allowed?(bob, action, group)
=> falseAdd the user as a direct member, with Owner
irb(main):007:0> Ability.allowed?(bob, action, group)
=> true
irb(main):008:0>This specific problem with the deploy token permissions can be addressed by updating the documentation to reflect the current behavior. I wonder though if this table could instead be generated automatically in some way?