Fix confidential filters for epics advanced search

Terri Churequested to merge
494629-fix-group-level-auth-and-confidential-filters into master

What does this MR do and why?

This MR refactors a few things:

  • group confidentiality filters now use the traversal_ids optimization to reduce the number of groups being sent in the queries to Elasticsearch
  • group confidentiality for group work items (epics) now support the planner role
  • refactor work item group query builder with a few override methods to improve readability and add specs

AI summary

This merge request enhances the search functionality for groups and work items in GitLab. It introduces more granular access controls for confidential and non-confidential items, allowing different minimum access levels to be set for each. The changes improve the filtering of search results based on user permissions and group visibility levels, ensuring users only see content they're authorized to access. The code also adds support for traversal IDs, which helps in efficiently filtering nested groups and their descendants. Additionally, it refactors some existing methods to be more flexible and adds new options for specifying access levels. Overall, these changes aim to provide more accurate and secure search results while maintaining performance.

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

N/A

How to set up and validate locally

I performed some setup for this and exported my test group. The hierarchy setup:

public top level group --> internal sub group (1 level down) --> internal private group (2 levels down)

in each group, add two epics (one confidential and one non-confidential) with a common word in title or description

2025-03-05_08-48-378_permissions-test-public-group_export.tar.gz

  1. setup gdk for elasticsearch
  2. import the group attached above
  3. test search with users
    • user with guest role in private subgroup
    • user with planner role in private subgroup
    • user with no access in any of the group heirarchy
    • anonymous user
    • admin user
  4. verify that you can see the records that the user should see (see table in !183437 (comment 2379138465))
Edited by Terri Chu

Merge request reports