Refactor Authorizer class to use it for more informative error messages
What does this MR do and why?
This was supposed to be quick and easy refactor. It was not quick nor easy.
changes:
-
Gitlab::Llm::Chain::Utils::Authorizeris returning simple object that answers to following methods:
-
.allowed?for authorization -
.messagefor error message
-
Gitlab::Llm::Chain::Utils::Authorizeris checking membership for user in the container - when user can see resource, but the root ancestor is not allowing AI features, we return sentence containing that information
- to make it possible and do not introduce security vulnerability when returning different messages for different scenarios (we cannot differentiate responses when user does not have access to the resource or resource does not exist) I made the generic answer simpler.
- I have added
resource_parentmethod for groups, they work the same as for projects: returningself. This provides identical interface so groups can be passed toresource_authorized
Overall, because of the additional checks, we can start using this class in a more active way and treat is a SSOT for authorizing actions for AI.
Also, I skipped additional authorization for the identifiers, as we are authorizing resource when we find them. This will also prevent weird error when someone asks question from page of the group that does not have AI enabled about a resource within a group with AI.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
 |
 |
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
Find group that you are a member of, but it does not have AI enabled. Ask about the issue and observe the answer.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.