Skip to content

Move to minimum role project create restriction

Yasutaka Konorequested to merge
gitlab-community/gitlab-org/gitlab:507410-move-to-minimum-role-project-create-restriction into master

What does this MR do and why?

As group setting of Roles allowed to create projects means minimum roles allowed to create projects, I changed code like below.

  • Added the word minimum to the dropdown title.
  • Changed the dropdown item of Developers + Maintainers to Developers.
  • Renamed DEVELOPER_MAINTAINER_PROJECT_ACCESS to DEVELOPER_PROJECT_ACCESS throughout the codebase, including variable and method names of a similar nature. (Because DEVELOPER_MAINTAINER_PROJECT_ACCESS meant Developers + Maintainers.)
  • Added one test for user#manageable_groups after renamed the method's argument name. Because I found that there wasn't a test for it.
  • Changed the order of the dropdown items from highest to lowest roles.

References

#507410 (closed)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Please see the dropdown title, the item of Developers and the items' order.

  • Group settings
Before After
Screenshot_2025-02-01_at_17.00.40 Screenshot_2025-02-20_at_18.55.31
Screenshot_2025-02-01_at_17.00.49 Screenshot_2025-02-01_at_16.29.19
  • Group settings in admin area
Before After
Screenshot_2025-02-01_at_17.00.59 Screenshot_2025-02-20_at_18.55.44
Screenshot_2025-02-01_at_17.01.19 Screenshot_2025-02-01_at_16.32.08
  • Default settings in admin area
Before After
Screenshot_2025-02-01_at_17.01.29 Screenshot_2025-02-20_at_18.56.08

How to set up and validate locally

  1. Open gdk in a browser, and log in as an admin user.
  2. Open group settings. http://gdk.local:3000/groups/twitter/-/edit#js-permissions-settings
    See Minimum roles allowed to create projects. (Please read it differently, if your gdk's domain and group names are different)
  3. Open group settings in admin area. http://gdk.local:3000/admin/groups/twitter/edit
    See Minimum roles allowed to create projects.
  4. Open default settings in admin area. http://gdk.local:3000/admin/application_settings/general#js-visibility-settings
    See Default minimum roles for project creation protection.

Concern

I changed Roles allowed to create projects to Minimum roles allowed to create projects of the dropdown title in group settings. I think Roles allowed to create subgroups below it also means minimum roles. I suggest to add word minimum to it in another MR. Screenshot_2025-02-01_at_17.36.31

The reason why it means minimum is that Owner and Maintainer with ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS can create subgroups according to the following code.

https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/policies/group_policy.rb#L330

rule { maintainer & maintainer_can_create_group }.enable :create_subgroup

https://gitlab.com/gitlab-org/gitlab/-/blob/master/app/policies/group_policy.rb#L20

condition(:maintainer) { access_level >= GroupMember::MAINTAINER }

Note

I found Gitlab::Access.project_creation_options in https://gitlab.com/gitlab-org/gitlab/-/blob/master/ee/app/views/admin/application_settings/_project_creation_level.html.haml#L6.
But I don't think this file is called from anywhere. So there isn't a screenshot.

Related to #507410 (closed)

Edited by Yasutaka Kono

Merge request reports