Mask membership source if the current user cannot access the source
What does this MR do and why?
As part of #219230 (closed), we will start showing the invited group members on the project/group members page. However, the current user might not have access to the invited group so depending on different cases we are hiding the source of the invited group member or the invited member itself.
If the invited group is public then we will always show its members on the shared project/group page. But if it's private and it's invited to a public group/project then the following cases are there:
- Current user is unauthenticated - The user won't see the members from the invited group on the shared project/group members page.
- Current user is a non-member of the invited group and the shared group/project - This is the same as point 1.
- Current user is a member of the shared group/project but not of the invited group - The user will see the members of the invited group but the source of membership will be masked.
- Current user is a member of the invited group - The user will be able to see the source of membership.
- Current user is the maintainer/owner of the shared project or owner of the group - The user can see the source of membership to manage the project/group memberships.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Before | After |
---|---|
![]() |
![]() |
How to set up and validate locally
For project:
- Enable the feature flag:
Feature.enable(:webui_members_inherited_users)
. - Login using
user1
and create 2 private groups calledGroup1
&Invited-group
. - Create
Shared-project
underGroup1
- Invite
user2
to Invited-group anduser3
to Shared-project with Developer access. - Now invite
Invited-group
toShared-project
using the Invite a group button on https://gdk.test:3000/group1/shared-project/-/project_members - Now log in using
user3
. - Check out this branch and you can now see
user2
on the Shared-project members page. Also, the source will be masked.
For group:
Create a group called Shared-group
instead of Shared-project
and repeat the above steps.
Related to #418789