Docs feedback: Permissions table is potentially outdated
https://docs.gitlab.com/ee/user/permissions.html#group-members-permissions
Through trial-and-error I discovered that the List group deploy tokens
permission actually requires Owner role, and Maintainer is insufficient.
It might have been that the required permissions were changed at some point? Currently in the UI front-end code, we have this:
- if can?(current_user, :admin_group, @group)
- deploy_token_description = s_('DeployTokens|Group deploy tokens allow access to the packages, repositories, and registry images within the group.')
= render "shared/deploy_tokens/index", group_or_project: @group, description: deploy_token_description
= render "default_branch", group: @group
the :admin_group
permission seems to be a group policy for Owner:
rule { owner }.policy do
enable :admin_group
And testing this on a 16.8 instance with Rails:
Testing Ability.allowed?
for my test user bob
in my test project @testing/subgroup-memberships/appdev/billing
on my test VM:
------------------------------------------------------------[ booted in 79.96s ]
Loading production environment (Rails 7.0.8)
irb(main):001:0> bob = User.find(4)
=> #<User id:4 @bob>
irb(main):002:0> action = :admin_group
=> :admin_group
irb(main):003:0> group = Group.find(31)
=> #<Group id:31 @testing/subgroup-memberships/appdev/billing>
irb(main):004:0> Ability.allowed?(bob, action, group)
=> false
Set the Group Max role, and Bob's role in the group, to Owner:
irb(main):005:0> Ability.allowed?(bob, action, group)
=> true
Set Bob's role back to Maintainer (Group still Owner)
irb(main):006:0> Ability.allowed?(bob, action, group)
=> false
Add the user as a direct member, with Owner
irb(main):007:0> Ability.allowed?(bob, action, group)
=> true
irb(main):008:0>
This specific problem with the deploy token permissions can be addressed by updating the documentation to reflect the current behavior. I wonder though if this table could instead be generated automatically in some way?