AI actions only shown to users with permissions
What does this MR do and why?
- Previously, each policy was supposed to check the following things:
- ai_global_switch ops FF enabled
- AI license available
- AI feature available via StageCheck
- Is the user actually a member of the parent resource? (only members can use AI features)
- Not surprisingly, given the number of things to check, this was done somewhat inconsistently throughout the policies.
- In the case of "generate description" we forgot to check for project membership. The logic still prevented the actual AI request for non- members (because that is checked in Llm::BaseService) but the button for the AI action was shown to non-members, which was a confusing UX.
- This MR introduces "Llm::FeatureAuthorizer", which handles this logic.
- Fixes #422754 (closed)
- I plan to use FeatureAuthorizer for our other AI-related permissions as well but the diff was getting large so I am fixing these 2 first.
Screenshots or screen recordings
I validated that I can still generate an Issue description with AI with the changes in this MR.
When creating an issue with AI features enabled as a non-project member:
| Before | After |
|---|---|
 |
 |
How to set up and validate locally
- Enable AI features locally: https://docs.gitlab.com/ee/development/ai_features/index.html#test-ai-features-locally
- Visit a project with AI features enabled as a non project member
- Open template to create an issue in the project. The "AI" button should not be shown.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.