Do not allow assigning non-admin custom roles directly to users
What does this MR do and why?
Fixes a bug when it was possible to assign a user directly to a regular (non-admin) custom role.
Reglar custom roles can be assigned only through group/project memberships.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Enable the feature flag:
Feature.enable(:custom_ability_read_admin_dashboard) - Create an admin custom role:
mutation {
memberRoleAdminCreate(input: {
name: "Admin area",
permissions: [READ_ADMIN_DASHBOARD]
}) {
errors
memberRole {
id
name
}
}
}- Assign the custom role to a user
mutation {
memberRoleToUserAssign(input: {
userId: "gid://gitlab/User/USER_ID"
memberRoleId: "gid://gitlab/MemberRole/MEMBER_ROLE_ID"
}) {
errors
userMemberRole {
id
user {
id
}
memberRole {
id
}
}
}
}- Verify in rails console the user member role relation was created, eg.
Users::UserMemberRole.find_by_user_id(USER_ID) - Create a regular custom role, eg. using migration
mutation {
memberRoleCreate(input: {
name: "Test Role",
description: "This is a new test role",
baseAccessLevel: GUEST,
permissions: [READ_CODE]
}) {
errors
memberRole {
id
name
}
}
}- Try to assign this role to a user:
mutation {
memberRoleToUserAssign(input: {
userId: "gid://gitlab/User/USER_ID"
memberRoleId: "gid://gitlab/MemberRole/REGULAR_MEMBER_ROLE_ID"
}) {
errors
userMemberRole {
id
user {
id
}
memberRole {
id
}
}
}
}- You should get an error, you can also vrify in rails console the user member role relation was created, eg.
Users::UserMemberRole.find_by_user_id(USER_ID)
Related to #516892 (closed)
Edited by Jarka Košanová