Organization owner group permissions with admin mode (!151722) · Merge requests · GitLab.org / GitLab

Alex Pooley requested to merge 440355-organization-owners-group-admin-mode into master May 02, 2024

What does this MR do and why?

In Broadly extend organization owner group permiss... (!145996 - merged) admin mode was ignored. This MR integrates admin mode so that an admin on an instance with admin mode enabled, will need to enable admin mode for their session for their organization ownership permissions to be acknowledged.

This MR removes a lot of uses of the :without_default_org trait in the specs that were a temporary stop gap until this MR.

Here's some context on admin mode in case you're not familiar. Admin mode is a setting that can be enabled on an instance that forces an admin to perform a second authentication to receive admin rights. If the admin mode setting is disabled, then admins have full rights at all times.

DB Changes

The change in app/finders/concerns/finder_with_group_hierarchy.rb results in an extra query for organizations: SELECT "organizations".* FROM "organizations" WHERE "organizations"."id" = 1

[4] pry(main)> LabelsFinder.new(User.last, {project_id: 6}).execute
  User Load (0.8ms)  SELECT "users".* FROM "users" ORDER BY "users"."id" DESC LIMIT 1 /*application:console,db_config_name:main,console_hostname:alexs-mbp.lan,console_username:alex,line:/app/models/concerns/use_sql_function_for_primary_key_lookups.rb:8:in `_query_by_sql'*/
  Project Load (0.8ms)  SELECT "projects"."id", "projects"."name", "projects"."path", "projects"."description", "projects"."created_at", "projects"."updated_at", "projects"."creator_id", "projects"."namespace_id", "projects"."last_activity_at", "projects"."import_url", "projects"."visibility_level", "projects"."archived", "projects"."avatar", "projects"."merge_requests_template", "projects"."star_count", "projects"."merge_requests_rebase_enabled", "projects"."import_type", "projects"."import_source", "projects"."approvals_before_merge", "projects"."reset_approvals_on_push", "projects"."merge_requests_ff_only_enabled", "projects"."issues_template", "projects"."mirror", "projects"."mirror_last_update_at", "projects"."mirror_last_successful_update_at", "projects"."mirror_user_id", "projects"."shared_runners_enabled", "projects"."runners_token", "projects"."build_allow_git_fetch", "projects"."build_timeout", "projects"."mirror_trigger_builds", "projects"."pending_delete", "projects"."public_builds", "projects"."last_repository_check_failed", "projects"."last_repository_check_at", "projects"."only_allow_merge_if_pipeline_succeeds", "projects"."has_external_issue_tracker", "projects"."repository_storage", "projects"."repository_read_only", "projects"."request_access_enabled", "projects"."has_external_wiki", "projects"."ci_config_path", "projects"."lfs_enabled", "projects"."description_html", "projects"."only_allow_merge_if_all_discussions_are_resolved", "projects"."repository_size_limit", "projects"."printing_merge_request_link_enabled", "projects"."auto_cancel_pending_pipelines", "projects"."service_desk_enabled", "projects"."cached_markdown_version", "projects"."delete_error", "projects"."last_repository_updated_at", "projects"."disable_overriding_approvers_per_merge_request", "projects"."storage_version", "projects"."resolve_outdated_diff_discussions", "projects"."remote_mirror_available_overridden", "projects"."only_mirror_protected_branches", "projects"."pull_mirror_available_overridden", "projects"."jobs_cache_index", "projects"."external_authorization_classification_label", "projects"."mirror_overwrites_diverged_branches", "projects"."pages_https_only", "projects"."external_webhook_token", "projects"."packages_enabled", "projects"."merge_requests_author_approval", "projects"."pool_repository_id", "projects"."runners_token_encrypted", "projects"."bfg_object_map", "projects"."detected_repository_languages", "projects"."merge_requests_disable_committers_approval", "projects"."require_password_to_approve", "projects"."max_pages_size", "projects"."max_artifacts_size", "projects"."pull_mirror_branch_prefix", "projects"."remove_source_branch_after_merge", "projects"."marked_for_deletion_at", "projects"."marked_for_deletion_by_user_id", "projects"."autoclose_referenced_issues", "projects"."suggestion_commit_message", "projects"."project_namespace_id", "projects"."hidden", "projects"."organization_id" FROM "projects" WHERE "projects"."id" = 6 LIMIT 1 /*application:console,db_config_name:main,console_hostname:alexs-mbp.lan,console_username:alex,line:/app/models/concerns/use_sql_function_for_primary_key_lookups.rb:8:in `_query_by_sql'*/
  Group Load (0.4ms)  SELECT "namespaces"."id", "namespaces"."name", "namespaces"."path", "namespaces"."owner_id", "namespaces"."created_at", "namespaces"."updated_at", "namespaces"."type", "namespaces"."description", "namespaces"."avatar", "namespaces"."membership_lock", "namespaces"."share_with_group_lock", "namespaces"."visibility_level", "namespaces"."request_access_enabled", "namespaces"."ldap_sync_status", "namespaces"."ldap_sync_error", "namespaces"."ldap_sync_last_update_at", "namespaces"."ldap_sync_last_successful_update_at", "namespaces"."ldap_sync_last_sync_at", "namespaces"."description_html", "namespaces"."lfs_enabled", "namespaces"."parent_id", "namespaces"."shared_runners_minutes_limit", "namespaces"."repository_size_limit", "namespaces"."require_two_factor_authentication", "namespaces"."two_factor_grace_period", "namespaces"."cached_markdown_version", "namespaces"."project_creation_level", "namespaces"."runners_token", "namespaces"."file_template_project_id", "namespaces"."saml_discovery_token", "namespaces"."runners_token_encrypted", "namespaces"."custom_project_templates_group_id", "namespaces"."auto_devops_enabled", "namespaces"."extra_shared_runners_minutes_limit", "namespaces"."last_ci_minutes_notification_at", "namespaces"."last_ci_minutes_usage_notification_level", "namespaces"."subgroup_creation_level", "namespaces"."max_pages_size", "namespaces"."max_artifacts_size", "namespaces"."mentions_disabled", "namespaces"."default_branch_protection", "namespaces"."max_personal_access_token_lifetime", "namespaces"."push_rule_id", "namespaces"."shared_runners_enabled", "namespaces"."allow_descendants_override_disabled_shared_runners", "namespaces"."traversal_ids", "namespaces"."organization_id" FROM "namespaces" WHERE "namespaces"."type" = 'Group' AND "namespaces"."id" = 31 LIMIT 1 /*application:console,db_config_name:main,console_hostname:alexs-mbp.lan,console_username:alex,line:/app/models/concerns/use_sql_function_for_primary_key_lookups.rb:8:in `_query_by_sql'*/
  License Load (0.3ms)  SELECT "licenses".* FROM "licenses" ORDER BY "licenses"."id" DESC LIMIT 100 /*application:console,db_config_name:main,console_hostname:alexs-mbp.lan,console_username:alex,line:/ee/app/models/license.rb:94:in `filter_map'*/
  Namespaces::NamespaceBan Load (2.4ms)  SELECT "namespace_bans".* FROM "namespace_bans" WHERE "namespace_bans"."user_id" = 68 /*application:console,db_config_name:main,console_hostname:alexs-mbp.lan,console_username:alex,line:/ee/app/policies/ee/project_policy.rb:213:in `block (2 levels) in <module:ProjectPolicy>'*/
  ProjectFeature Load (0.1ms)  SELECT "project_features".* FROM "project_features" WHERE "project_features"."project_id" = 6 LIMIT 1 /*application:console,db_config_name:main,console_hostname:alexs-mbp.lan,console_username:alex,line:/app/policies/project_policy.rb:1103:in `access_allowed_to?'*/
  Organizations::Organization Load (3.5ms)  SELECT "organizations".* FROM "organizations" WHERE "organizations"."id" = 1 /*application:console,db_config_name:main,console_hostname:alexs-mbp.lan,console_username:alex,line:/app/finders/concerns/finder_with_group_hierarchy.rb:81:in `preload_associations'*/
...

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before	After

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

Related to #440355 (closed)

Edited May 14, 2024 by Alex Pooley

Organization owner group permissions with admin mode

What does this MR do and why?

DB Changes

MR acceptance checklist

Screenshots or screen recordings

How to set up and validate locally

Merge request reports