Skip to content

Show members of private group as approvers

What does this MR do and why?

Show members of private group as approvers

When an approval rule has a group that is considered hidden to the user then approvers are not shown. This is a problem when a private group has been added to an approval rule.

This change is to consider private groups that are invited to the project associated with the approval rule to be considered non-hidden

For more context: #281029 (comment 1807240087)

Query Plans

This change adds an additional query during project_groups calling project.invited_groups that results in a query like:

SELECT *
FROM "namespaces"
INNER JOIN "project_group_links" ON "namespaces"."id" = "project_group_links"."group_id"
WHERE "namespaces"."type" = 'Group'
  AND "project_group_links"."project_id" = 278964

query plan here: https://console.postgres.ai/gitlab/gitlab-production-main/sessions/27397/commands/85304

The result of that is used in hidden_groups which performs a query like: https://console.postgres.ai/gitlab/gitlab-production-main/sessions/27497/commands/85645

SELECT *
FROM "namespaces"
INNER JOIN "approval_project_rules_groups" ON "namespaces"."id" = "approval_project_rules_groups"."group_id"
WHERE "namespaces"."type" = 'Group'
  AND "approval_project_rules_groups"."approval_project_rule_id" = 14315753
  AND "namespaces"."id" NOT IN (2750817,
                                3887968,
                                5924764,
                                6150316);

Before this change hidden_groups would perform a similar query but without the results from project_groups: https://console.postgres.ai/gitlab/gitlab-production-main/sessions/27497/commands/85648

SELECT *
FROM "namespaces"
INNER JOIN "approval_project_rules_groups" ON "namespaces"."id" = "approval_project_rules_groups"."group_id"
WHERE "namespaces"."type" = 'Group'
  AND "approval_project_rules_groups"."approval_project_rule_id" = 14315753
  AND "namespaces"."id" != 3887968;

Notably sometimes rule is an instance of ApprovalMergeRequestRule, but the resulting queries are similar

For example

SELECT *
FROM "namespaces"
INNER JOIN "approval_merge_request_rules_groups" ON "namespaces"."id" = "approval_merge_request_rules_groups"."group_id"
WHERE "namespaces"."type" = 'Group'
  AND "approval_merge_request_rules_groups"."approval_merge_request_rule_id" = 269
  AND "namespaces"."id" != 2962
 Hash Join  (cost=7.54..14.83 rows=1 width=434) (actual time=0.278..0.338 rows=1 loops=1)
   Hash Cond: (namespaces.id = approval_merge_request_rules_groups.group_id)
   ->  Index Scan using index_namespaces_on_organization_id_for_groups on namespaces  (cost=0.14..7.14 rows=114 width=414) (actual time=0.091..0.271 rows=132 loops=1)
         Filter: (id <> 2962)
         Rows Removed by Filter: 1
   ->  Hash  (cost=7.29..7.29 rows=8 width=20) (actual time=0.039..0.039 rows=2 loops=1)
         Buckets: 1024  Batches: 1  Memory Usage: 9kB
         ->  Index Scan using index_approval_merge_request_rules_groups_1 on approval_merge_request_rules_groups  (cost=0.15..7.29 rows=8 width=20) (actual time=0.029..0.031 rows=2 loops=1)
               Index Cond: (approval_merge_request_rule_id = 269)
 Planning Time: 0.955 ms
 Execution Time: 0.413 ms

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

How to set up and validate locally

  1. Create a private group (private-group-b)
  2. Create a project
  3. Invite the private subgroup to the project
  4. Add a CODEOWNERS file to the project. For example
*.txt @private-group-b
  1. Create a protected branch and require code owner approval
  2. Create merge request that changes something requiring code owner approval
  3. Invite another user to the project
  4. As the other user, see that the approvers for the code owner rule are missing from the approval rules widget in the merge request
  5. Enable the show_private_groups_as_approvers feature flag
  6. Check the widget again and see that the approvers are present. Screenshot_2024-04-04_at_3.40.15_PM

Related to #281029 (closed)

Edited by Jerry Seto

Merge request reports

Loading