Check group member permissions in GroupMentionService
What does this MR do and why?
Fixes https://gitlab.com/gitlab-org/gitlab/-/issues/425067 by checking group member access to the context of a group mention, before sending a group mention notification.
How to set up and validate locally
- Enabled the
:group_mention_access_checkfeature flag. - Create a Slack Incoming Webhook to receive notifications (https://github.com/darklynx/request-baskets works great).
- Create a Public group called
slack-notifications-test-groupand configureSlack notificationswith the webhook and bothA group is mentioned...triggers enabled. - Add a non-admin user to
slack-notifications-test-groupwithReporterpermissions. - Create a Public project (outside of
slack-notifications-test-group). - Mention
@slack-notifications-test-groupin a public issue in the project. A Slack notification should arrive. - Mention
@slack-notifications-test-groupin a confidential issue in the project. No Slack notification should arrive. - Remove the non-admin user with the
Reporterpermissions from@slack-notifications-test-group. - Mention
@slack-notifications-test-groupin a confidential issue in the project. A Slack notification should arrive.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Ash McKenzie