Merge request search returns no results for users with inherited group permissions

Summary

When a user is invited to a project via a group membership (with adequate permissions such as Maintainer), the merge request search API (or UI, both /api/v4/ and graphql endpoints) do not return any results when searching for a specific string. However, the user can access the merge request directly via the UI or direct URL, indicating they have the necessary permissions.

Steps to reproduce

  1. Create a group and add a user as a Maintainer
  2. Create a project within that group
  3. Ensure the user has inherited Maintainer permissions through the group membership (not as a direct project member)
  4. As that user, use the merge request search API to search for a merge request by title or description
  5. Observe that no results are returned despite the merge request existing and being accessible

Current behavior

  • API search for merge requests returns empty results for users with inherited group permissions
  • User can access the merge request directly via UI or direct URL
  • User has adequate permissions (Maintainer or higher) through group membership
  • The search appears to be checking only direct project membership, not inherited permissions

Expected behavior

  • API search should return merge request results for users with inherited group permissions
  • Search results should be consistent with the user's actual access level
  • Users should be able to search for merge requests they can access

Example Project

Any project within a group where the user has inherited permissions

Relevant logs and/or screenshots

N/A

Environment

  • GitLab Version: GitLab Enterprise Edition 18.9.0-pre dbf044d0680
  • Deployment Type: GitLab.com
  • API Endpoint: /api/v4/projects/:id/merge_requests with search parameters

Possible fixes

  • Review the merge request search API authorization logic to include inherited group permissions
  • Ensure permission checks use the same logic as direct project access
  • Verify that the search query respects the user's effective permissions (direct + inherited)
Edited by Filip Aleksic