Add read_admin_cicd custom permission to allow access to /admin/runners
What does this MR do and why?
This MR partially implements Implement granular read_admin_cicd permission (#507960 - closed). It includes the following changes:
- Add
read_admin_cicdcustom ability. - Displays a link to "Admin area" in global search results when a non-admin user has
read_admin_cicdpermission. This links to/admin/runnersif the user only has access to/admin/runnersbut not/admin(granted byread_admin_dashboard, for example). - Allows access to
/admin/runnerswhen a non-admin user hasread_admin_cicdpermission.
This MR does not include the following:
- Updates to grant access to
/admin/jobswhich is also under the CI/CD admin page - Updates to grant access when fetching all runners displayed in
/admin/runners - Updates to grant access when fetching all jobs displayed in
/admin/jobs
These will be introduced in a separate MR to keep this MR small.
References
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screen_Recording_2025-01-10_at_2.22.49_PM
How to set up and validate locally
- Enable
custom_ability_read_admin_cicdfeature flag.$ rails c > Feature.enable(:custom_ability_read_admin_cicd) - Create a new admin member role with
read_admin_cicdpermission enabled.> admin_member_role = MemberRole.create(name: 'Limited admin', description: 'Read CI/CD details including runners and jobs.', read_admin_cicd: true) - Assign the new admin role to a non-admin user.
> user = User.find(<a_user_id>) > Users::UserMemberRole.create(member_role: admin_member_role, user: user)` - Login with the user.
- Click global search in left sidebar ("Search or go to").
- Verify that "Admin area" is displayed. Click on it.
- Verify that you are redirected to
/admin/runnersand CI/CD menu item is the only one displayed on the side bar.
Edited by Eugie Limpin