Skip to content

Owners of sub-groups and projects should not have access when banned

Eugie Limpin requested to merge ell-ban-subgroup-and-project-owners into master

What does this MR do and why?

Resolves: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/111

Problem: When sub-group and project owners are banned from a top-level namespace they can still access their sub-groups and projects.

This MR updates the group and project policies to prevent owners of sub-group and projects from accessing their sub-group and projects when they are banned from the top-level group.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

Note: to unban just destroy all ::Namespaces::NamespaceBan by executing ::Namespaces::NamespaceBan.destroy_all in Rails console

Validate that sub-group owners are banned

  1. Create a top-level group and a sub-group under the top-level group
  2. Add another user (user2) as OWNER to the sub-group
  3. Validate that user2 can access the sub-group
  4. In Rails console, ban the sub-group owner (user2) from the top-level group 
    > namespace = Group.find_by_full_path('your_groups_actual_full_path')
> user = User.find_by(username: 'your_actual_users_username')
> ::Namespaces::NamespaceBan.create(user: user, namespace: namespace)
  5. Validate that user2 can no longer access (404) the sub-group

Validate that project owners are banned

  1. Create a top-level group and a project (project1) under the top-level group
  2. Create a sub-group under the top-level group and a project (project2) under the sub-group
  3. Add another user (user2) as OWNER to project1 and project2
  4. Validate that user2 can access project1 and project2
  5. In Rails console, ban the user2 from the top-level group 
    > namespace = Group.find_by_full_path('your_groups_actual_full_path')
> user = User.find_by(username: 'your_actual_users_username')
> ::Namespaces::NamespaceBan.create(user: user, namespace: namespace)
  6. Validate that user2 can no longer access (404) project1 and project2

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Eugie Limpin

Merge request reports