Skip to content

Mask membership source if the current user cannot access the source

Abdul Wadood requested to merge 418789-hide-invited-group-details into master

What does this MR do and why?

As part of #219230 (closed), we will start showing the invited group members on the project/group members page. However, the current user might not have access to the invited group so depending on different cases we are hiding the source of the invited group member or the invited member itself.

If the invited group is public then we will always show its members on the shared project/group page. But if it's private and it's invited to a public group/project then the following cases are there:

  1. Current user is unauthenticated - The user won't see the members from the invited group on the shared project/group members page.
  2. Current user is a non-member of the invited group and the shared group/project - This is the same as point 1.
  3. Current user is a member of the shared group/project but not of the invited group - The user will see the members of the invited group but the source of membership will be masked.
  4. Current user is a member of the invited group - The user will be able to see the source of membership.
  5. Current user is the maintainer/owner of the shared project or owner of the group - The user can see the source of membership to manage the project/group memberships.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Before After
image image

How to set up and validate locally

For project:

  1. Enable the feature flag: Feature.enable(:webui_members_inherited_users).
  2. Login using user1 and create 2 private groups called Group1 & Invited-group.
  3. Create Shared-project under Group1
  4. Invite user2 to Invited-group and user3 to Shared-project with Developer access.
  5. Now invite Invited-group to Shared-project using the Invite a group button on https://gdk.test:3000/group1/shared-project/-/project_members
  6. Now log in using user3.
  7. Check out this branch and you can now see user2 on the Shared-project members page. Also, the source will be masked.

For group:

Create a group called Shared-group instead of Shared-project and repeat the above steps.

Related to #418789

Edited by Abdul Wadood

Merge request reports