Skip to content

Add team members to policy project only when not added for the group

Alan (Maciej) Paruszewski requested to merge 416875-add-developers-to-policy-project-only-when-it-is-valid into master

What does this MR do and why?

This MR fixes a bug where when the user was added to both the project and group with the Maintainer role Security Policy Project creation was failing as it was impossible to add this user with Developer role to the Security Policy project because of the higher_access_level_than_group validation.

Queries

https://console.postgres.ai/gitlab/gitlab-production-main/sessions/25409/commands/80479

SELECT DISTINCT
	"project_authorizations"."user_id"
FROM
	"project_authorizations"
WHERE
	"project_authorizations"."project_id" = 278964
	AND "project_authorizations"."access_level" IN (40, 30)
	AND (NOT EXISTS (
			SELECT
				1
			FROM
				"members"
			WHERE
				"members"."type" = 'GroupMember'
				AND "members"."source_type" = 'Namespace'
				AND (members.user_id = project_authorizations.user_id)
				AND "members"."source_id" = 9970
				AND "members"."access_level" >= 30));

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Create a new group
  2. Create a new project in that group
  3. Create a new user and add it as a Maintainer in both Group and Project
  4. Go to the Project, then Secure -> Policies and try to create a new policy.
  5. The security policy project should be created without issues.

Related to #416875 (closed)

Edited by Dominic Bauer

Merge request reports