Show members of private group as approvers
What does this MR do and why?
Show members of private group as approvers
When an approval rule has a group that is considered hidden to the user then approvers are not shown. This is a problem when a private group has been added to an approval rule.
This change is to consider private groups that are invited to the project associated with the approval rule to be considered non-hidden
For more context: #281029 (comment 1807240087)
Query Plans
This change adds an additional query during project_groups
calling project.invited_groups
that results in a query like:
SELECT *
FROM "namespaces"
INNER JOIN "project_group_links" ON "namespaces"."id" = "project_group_links"."group_id"
WHERE "namespaces"."type" = 'Group'
AND "project_group_links"."project_id" = 278964
query plan here: https://console.postgres.ai/gitlab/gitlab-production-main/sessions/27397/commands/85304
The result of that is used in hidden_groups
which performs a query like:
https://console.postgres.ai/gitlab/gitlab-production-main/sessions/27497/commands/85645
SELECT *
FROM "namespaces"
INNER JOIN "approval_project_rules_groups" ON "namespaces"."id" = "approval_project_rules_groups"."group_id"
WHERE "namespaces"."type" = 'Group'
AND "approval_project_rules_groups"."approval_project_rule_id" = 14315753
AND "namespaces"."id" NOT IN (2750817,
3887968,
5924764,
6150316);
Before this change hidden_groups
would perform a similar query but without the results from project_groups
:
https://console.postgres.ai/gitlab/gitlab-production-main/sessions/27497/commands/85648
SELECT *
FROM "namespaces"
INNER JOIN "approval_project_rules_groups" ON "namespaces"."id" = "approval_project_rules_groups"."group_id"
WHERE "namespaces"."type" = 'Group'
AND "approval_project_rules_groups"."approval_project_rule_id" = 14315753
AND "namespaces"."id" != 3887968;
Notably sometimes rule
is an instance of ApprovalMergeRequestRule
, but the resulting queries are similar
For example
SELECT *
FROM "namespaces"
INNER JOIN "approval_merge_request_rules_groups" ON "namespaces"."id" = "approval_merge_request_rules_groups"."group_id"
WHERE "namespaces"."type" = 'Group'
AND "approval_merge_request_rules_groups"."approval_merge_request_rule_id" = 269
AND "namespaces"."id" != 2962
Hash Join (cost=7.54..14.83 rows=1 width=434) (actual time=0.278..0.338 rows=1 loops=1)
Hash Cond: (namespaces.id = approval_merge_request_rules_groups.group_id)
-> Index Scan using index_namespaces_on_organization_id_for_groups on namespaces (cost=0.14..7.14 rows=114 width=414) (actual time=0.091..0.271 rows=132 loops=1)
Filter: (id <> 2962)
Rows Removed by Filter: 1
-> Hash (cost=7.29..7.29 rows=8 width=20) (actual time=0.039..0.039 rows=2 loops=1)
Buckets: 1024 Batches: 1 Memory Usage: 9kB
-> Index Scan using index_approval_merge_request_rules_groups_1 on approval_merge_request_rules_groups (cost=0.15..7.29 rows=8 width=20) (actual time=0.029..0.031 rows=2 loops=1)
Index Cond: (approval_merge_request_rule_id = 269)
Planning Time: 0.955 ms
Execution Time: 0.413 ms
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Create a private group (
private-group-b
) - Create a project
- Invite the private subgroup to the project
- Add a
CODEOWNERS
file to the project. For example
*.txt @private-group-b
- Create a protected branch and require code owner approval
- Create merge request that changes something requiring code owner approval
- Invite another user to the project
- As the other user, see that the approvers for the code owner rule are missing from the approval rules widget in the merge request
- Enable the
show_private_groups_as_approvers
feature flag - Check the widget again and see that the approvers are present.
Related to #281029 (closed)