Skip to content

Fix retrieving custom roles available for a group

Jarka Košanová requested to merge 454360-subgroup-cr-assignement into master

What does this MR do and why?

It fixes retrieving custom roles available for a group.

What we did before this MR

We were checking permission to admin custom roles (admin_member_role) against the custom roles group, which is always a root group and only an owner of that group can admin custom roles.

What is the problem

A user who is not a root group owner can still assign members to subgroups/projects if they are subgroup owners or project maintainers. And these users should also be able to assign custom roles in "their" groups/subprojects

What we do after this change

We check a new permission read_member_role for a group/project a user is actually requesting custom roles for. They have this permission whenever they are able to add/change/remove a group/project member.

More details inline

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Before After
members-old members-new

How to set up and validate locally

Preparation

  1. Find/create a group with subgroup and project in that subgroup

Subgroup

  1. Pick/create a user who is an owner in the subgroup but not in the root group
  2. Impersonate that user
  3. Go to the subgroup members page and try to add a user/change a user role/add a group
  4. Make sure you can see the available custom roles
  5. You can also test the mutation itself (see below)
  6. Try the same with the root group owner (you should see the custom roles, get them using the mutation) and a user with a lower role (you should not be able to add/change members and the mutation should not return any custom roles)
query {
  group(fullPath: "flightjs/flight-subgroup") {
    id
    name
    memberRoles {
      nodes {
        id
        name
      }
    }
  }
}

Project

  1. Pick/create a user who is a maintainer in the project but not the owner in the root group/subgroup
  2. Impersonate that user
  3. Go to the project members page and try to add a user/change a user role/add a group
  4. Make sure you can see the available custom roles
  5. You can also test the mutation itself (see below)
  6. Try the same with the root group owner/maintainer (you should see the custom roles, get them using the mutation) and a user with a lower role (you should not be able to add/change members and the mutation should not return any custom roles)
query {
  project(fullPath: "flightjs/flight-subgroup/sub-project") {
    id
    name
    memberRoles {
      nodes {
        id
        name
      }
    }
  }
}

Related to #454360 (closed)

Edited by Jarka Košanová

Merge request reports