Skip to content
Snippets Groups Projects

Prevents non-team members to see data on AI Agents

Merged Eduardo Bonet requested to merge ai_agents/require_member_for_read_ai_agents into master
All threads resolved!

What does this MR do and why?

While we have not properly implemented feature access control for ai agents (#440955), we should be more strict on non-project member users from seeing data. This MR disables :read_ai_agents from non-team members of a project (:write_ai_agents already required at least reporter role)

How to set up and validate locally

Example below:

  1. In rails console
    Feature.enable(:agent_registry)
    user = User.last
    project = Project.first
    project_policy = ProjectPolicy.new(user, project)
    
    project.member?(user) # => false
    
    project_policy.debug(:read_ai_agents) # enabled should be false

Merge request reports

Loading
Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Peter Leitzen requested review from @alexbuijs

    requested review from @alexbuijs

  • Contributor

    E2E Test Result Summary

    allure-report-publisher generated test report!

    e2e-test-on-gdk: :white_check_mark: test report for aad6808a

    expand test summary
    +------------------------------------------------------------------+
    |                          suites summary                          |
    +-------------+--------+--------+---------+-------+-------+--------+
    |             | passed | failed | skipped | flaky | total | result |
    +-------------+--------+--------+---------+-------+-------+--------+
    | Create      | 53     | 0      | 12      | 5     | 65    | ✅     |
    | Verify      | 31     | 0      | 0       | 0     | 31    | ✅     |
    | Monitor     | 7      | 0      | 0       | 0     | 7     | ✅     |
    | Package     | 21     | 0      | 2       | 0     | 23    | ✅     |
    | Govern      | 65     | 0      | 1       | 0     | 66    | ✅     |
    | Analytics   | 2      | 0      | 0       | 0     | 2     | ✅     |
    | Data Stores | 31     | 0      | 1       | 0     | 32    | ✅     |
    | Plan        | 53     | 0      | 0       | 0     | 53    | ✅     |
    | Release     | 5      | 0      | 0       | 0     | 5     | ✅     |
    | Manage      | 0      | 0      | 1       | 0     | 1     | ➖     |
    +-------------+--------+--------+---------+-------+-------+--------+
    | Total       | 268    | 0      | 17      | 5     | 285   | ✅     |
    +-------------+--------+--------+---------+-------+-------+--------+
  • Eduardo Bonet added 1 commit

    added 1 commit

    • aad6808a - Uses guest role instead of team_member?

    Compare with previous version

  • Eduardo Bonet requested review from @splattael

    requested review from @splattael

  • Peter Leitzen approved this merge request

    approved this merge request

  • Alex Buijs approved this merge request

    approved this merge request

  • Alex Buijs removed review request for @alexbuijs

    removed review request for @alexbuijs

  • Peter Leitzen enabled an automatic merge when all merge checks for aad6808a pass

    enabled an automatic merge when all merge checks for aad6808a pass

  • Peter Leitzen canceled the automatic merge

    canceled the automatic merge

  • Peter Leitzen enabled an automatic merge when all merge checks for aad6808a pass

    enabled an automatic merge when all merge checks for aad6808a pass

  • Peter Leitzen resolved all threads

    resolved all threads

  • merged

  • Peter Leitzen mentioned in commit bb86cbf2

    mentioned in commit bb86cbf2

  • added workflowstaging label and removed workflowcanary label

  • Please register or sign in to reply
    Loading