Restrict member roles REST API
What does this MR do and why?
- Restricts custom-roles REST API based on whether the application is in SaaS mode or a self-managed instance.
- When on SaaS, users can create group-level custom roles but not instance-level custom roles.
- When on self-managed, users can create instance-level custom roles but not group-level custom roles.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Enable SaaS mode with
export GITLAB_SIMULATE_SAAS=1
gdk restart-
Sign-in as an admin and get a personal access token
-
Using a group that you are an owner of, create/list/delete group-level custom roles, their endpoints are:
GET /api/v4/groups/<GROUP_ID/member_roles>
POST /api/v4/groups/<GROUP_ID/member_roles { "name": "Test", "read_code": true, "base_access_level": 10}
DELETE /api/v4/groups/<GROUP_ID/member_roles/<MEMBER_ROLE_ID>- You should not be able to do either of those with instance-level custom roles, their endpoints are:
GET /api/v4/member_roles>
POST /api/v4/member_roles { "name": "Test", "read_code": true, "base_access_level": 10}
DELETE /api/v4/member_roles/<MEMBER_ROLE_ID>- Disable SaaS mode
export GITLAB_SIMULATE_SAAS=0
gdk restart- And repeat steps 3 and 4. However, now you should be able to create an instance-level custom role but not a group-level one.
Related to #452208 (closed)
Edited by Hinam Mehra