Fix error when fetching custom roles when used in policies

Alan (Maciej) Paruszewskirequested to merge
523100-fix-fetching-custom-roles-in-policies-for-self-managed into master

Issue Summary

This MR fixes a bug where admin users can't view the Roles and Permissions page in Admin settings when a project has an MR approval policy that:

  1. Has a custom role assigned as an approver
  2. Uses a compliance frameworks policy scope

The issue occurs because when trying to fetch roles in this specific scenario, we attempt to access root_ancestor when it's nil, resulting in a NoMethodError: undefined method 'root_ancestor' for nil:NilClass error.

Root Cause

The error happens in SecurityOrchestrationPolicies::PolicyScopeFetcher when:

  1. The page tries to fetch all custom roles (without a specific container context)
  2. The fetcher attempts to resolve compliance frameworks from the policy scope
  3. The code tries to access root_ancestor without first checking if it's nil

Solution

Two key changes:

  1. Add a guard clause in root_ancestor method to return early if container is nil
  2. Modify compliance_frameworks method to query all frameworks when root_ancestor is nil

These changes ensure that even when the container is nil (like when viewing the Admin Roles page), we can still fetch roles that are referenced in security policies with compliance framework scopes.

Testing

Added new test case that covers the scenario where container is nil, verifying the fix works properly.

Related Issues

Fixes Error fetching custom roles when used in projec... (#523100 - closed)

Edited by Alan (Maciej) Paruszewski

Merge request reports