Add permission to view user details in Admin Area

mo khanrequested to merge
mokhax/508782/read_admin_users into master

What does this MR do and why?

Organizations often have support teams who need Admin read access to perform their job but should not have admin write access. In response to that we created an admin role that customers can customize to their specific permissions threshold. More context here.

This change introduces a new custom permission called read_admin_users that allows read only access to view user details in the Admin Area. This is the first MR for this new permission and subsequent permissions will follow that will remove additional links and buttons that should not appear for this restricted admin user. This work is gated behind the custom_ability_read_admin_users feature flag.

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Page Before (admin) After (restricted admin)
admin/users#index image image
admin/users#show image image

How to set up and validate locally

  1. Enable the feature flag via a rails console 
    [1] pry(main)> Feature.enable(:custom_ability_read_admin_users)
  2. Visit instance level Roles and Permissions page http://gdk.test:3000/admin/application_settings/roles_and_permissions
  3. Create a new Role with the read_admin_users permission enabled.
  4. Open a separate browser and register a new account.
  5. Open a rails console and assign the new role to the new account 
    pry(main)> License.feature_available?(:custom_roles)
pry(main)> user = User.find_by(username: 'read_admin_users')
pry(main)> role = MemberRole.find_by(name: 'read_admin_users')
pry(main)> Users::UserMemberRole.create!(member_role: role, user: user)
pry(main)> user.can?(:read_admin_users)
  6. Visit any group or project member pages such as http://127.0.0.1:3000/groups/flightjs/-/group_members
  7. Visit the admin/users page using the new account http://gdk.test:3000/admin/users
  8. Verify that the page loads
Edited by mo khan

Merge request reports