Raise the permissions of the group-level APIs to owner (!118360) · Merge requests · GitLab.org / GitLab

Moaz Khalifa requested to merge 370471-Raise-the-permissions-of-the-group-level-APIs-to-owner into master Apr 21, 2023

What does this MR do and why?

In #364441 (closed) we identified a discrepancy between the UI & the API Group Owners/administrators permission for package and registry settings.

Context

Currently, the docs show that maintainers should have the ability to change these settings: https://docs.gitlab.com/ee/user/permissions.html#group-members-permissions

We recently raised the graphql/api permissions from developer to maintainer to conform with the frontend. It looks like we got mixed up somewhere in #350682 (closed) and #322055 (closed) and the UI (http://gdk.test:3000/groups/<your_group_name>/-/settings/packages_and_registries) has required owner all along.

Access to the settings tab, & therefore Packages & Registry settings on the left side is available only for group owners (they have :admin_group set on their group policy) and the same check is made if the user tries to visit the URL directly. So maintainers don't have access to this UI.

Solution

Raise the permissions of the group-level APIs to owner.

The note warning of the deprecation in GraphQL should be removed.

Relates to #364441 (closed)

Affected permissions:

Dependency proxy permissions.
Package setting permissions.

Note: Container cleanup policies are project-level APIs and their permissions shouldn't be changed.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

Create a group (or pick an existing one)
Create a user
Add the user to the group as a maintainer
enable the feature flag in the rails console for the group: Feature.enable(:raise_group_admin_package_permission_to_owner, group_instance)
While logged in as the maintainer user, use the graphql explorer: http://gdk.test:3000/-/graphql-explorer to try to interact with the endpoints:

Try updating the namespace package settings using the query below:

mutation {
  updateNamespacePackageSettings(input: {
    namespacePath: "<your-namespace-full-path>", 
    genericDuplicatesAllowed:true, 
    genericDuplicateExceptionRegex: "asdf.*"
  }) {
    packageSettings {
	 genericDuplicatesAllowed
      genericDuplicateExceptionRegex
    }
  }
}

Try updating the Dependency Proxy settings using one of the queries below: (dependency proxy should be enabled in gdk)

mutation {
  updateDependencyProxySettings(input: {groupPath: "<your-group-full-path", enabled:true}) {
    dependencyProxySetting {
     enabled
    }
  }
}
mutation {
  updateDependencyProxyImageTtlGroupPolicy(input: {groupPath: "<your-group-full-path", enabled:true, ttl:11}) {
    dependencyProxyImageTtlPolicy {
     ttl
     enabled
     updatedAt
   }
 }
}

The requests should be unsuccessful.
Optionally, you can log back in as the root user or owner of the group and make the requests again, they should be successful.
You can disable the feature flag and make the requests again using the maintainer user, the requests should be successful.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #370471

Edited May 03, 2023 by Moaz Khalifa

Raise the permissions of the group-level APIs to owner