Allow LDAP group synced Owner access to Roles and Permissions page (!150568) · Merge requests · GitLab.org / GitLab

What does this MR do and why?

This MR fixes the following defects:

LDAP Owners that should be able to view the Group > Roles and Permissions page cannot.
- This policy and this policy prevent LDAP synchronized Owners from receiving the admin_group_member permission.
Owners that have the admin_member_role permission are not able to fetch the list of member roles via the GraphQL API.
- After the Roles and Permissions page is loaded the frontend code issues a GraphQL query to fetch the list of member roles. Access to the list of member roles is authorized using the read_member_role permission. Currently, an empty list of results is returned to any user that has the admin_member_role ability (.i.e. Owners).

To fix the first issue the authorization for the groups/roles_and_permissions#index action was changed to use the same permission checked in the RolesFinder that is used to fetch the list of roles.

To fix the second issue the GroupPolicy was updated to give the read_member_role permission to any user that has the admin_member_role permission.

After both fixes are applied:

#434172 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.