Allow invited Owners to top-level group to manage its enterprise users
What does this MR do and why?
In #503269 it was reported that invited Owner to top-level group cannot disable two-factor authentication for the group's enterprise users.
This MR allows invited Owners to top-level group to manage its enterprise users.
Implementation details
We use User#managed_by_user?(user, group: user_detail.enterprise_group) method in the codebase to check whether a user can manage enterprise user.
Within that method we currently use Group#owned_by? method to check whether the user is Owner of the enterprise group. That method only considers direct Owners. That is why, currently, invited Owners of the enterprise group cannot manage its enterprise users.
I hesitate to change Group#owned_by? method behavior directly as it is being used in other places - its behavior change could lead to unintended changes. It is safer to replace usage of Group#owned_by? in the managed_by_user? method.
References
Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
| Before | After |
|---|---|
How to set up and validate locally
- Make sure the GitLab instance simulates or a SaaS instance since Enterprise Users is a SaaS feature
- Configure "Automatic claims of enterprise users". For testing purposes on the local environment you can claim the user manually from the Rails console:
User.find_by_username('USERNAME').user_detail.update(enterprise_group_id: GROUP_ID)- Follow "Steps to reproduce" from #503269