Skip to content

Add Owners to `Roles allowed to create projects` options on Group

Yasutaka Konorequested to merge
gitlab-community/gitlab-org/gitlab:354355-add-owners-to-allowed-to-create-projects-options2 into master
  • Please check this box if this contribution uses AI-generated content (including content generated by GitLab Duo features) as outlined in the GitLab DCO & CLA. As a benefit of being a GitLab Community Contributor, you can request access to GitLab Duo.

What does this MR do and why?

This MR enables a setting that allows the only Owner and a higher role(Admin) to create projects, but disallow Maintainer and lower roles to do it. As a Use Case is described in #354355 (closed), the Terraform user with Owner role can create projects, but other members with lower roles than Owner can't, when we set Owners to Roles allowed to create projects for groups.

Owners option is added into two types of settings.

  1. Allowed to create projects (Group settings)
    Group Page > Settings > General > Permissions and group features > Roles allowed to create projects.
  2. Default project creation protection (admin settings)
    Admin Page > Settings > General > Visibility and access controls > Default project creation protection.
    If Allowed to create projects isn't set, this value is applied. (If Allowed to create projects isn't set, Default project creation protection is automatically selected in Allowed to create projects section.)

References

#354355 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

  • Screenshots of Settings

    • Allowed to create projects (Group settings)
      Screenshot_2024-11-16_at_19.51.44 Screenshot_2024-11-16_at_19.52.02
    • Default project creation protection (admin settings)
      Screenshot_2024-11-16_at_21.50.57

  • Test that the Owner option works.

How to set up and validate locally

  1. Create a new test user on gdk (http://gdk.local:3000/).
    Please refer to https://docs.gitlab.com/ee/user/profile/account/create_accounts.html.
  2. Open a gdk top page. Click Groups > group name (e.g. Flightjs) > Settings > General > Permissions and group features > Roles allowed to create projects.
  3. Select Owners and click Save changes.
  4. In the group page, click Manage > Members > Invite members. Select the created test user above in Username, name or email address, and select Maintainer in Select a role. Click Invite.
  5. Log out from gdk, and log in to gdk as a created test user.
  6. Click Groups > group name (e.g. Flightjs). Check that New project button doesn't exist in the upper right corner.

Notes

  • The following shows which combinations of Access level and Project creation level can create projects. Screenshot_2024-11-21_at_21.43.20

  • The permission of Project creation level is a prerequisite for transfer projects.

  • This MR doesn't include changes of AcceptingProjectCreationsFinder and AcceptingProjectTransfersFinder. This causes the following.
    For example, when a Maintainer user gets groups through AcceptingProjectCreationsFinder, it returns groups whose project_creation_level is Owner, which means it includes groups in which the user can't create projects.
    But in my opinion, it's not a problem. Because if we try to create or transfer projects in the groups without the permission, those services check the permission and return a "no permission" error. (like the transfer project test above) So we can deal with them separately from this issue.

Edited by Yasutaka Kono

Merge request reports