Skip to content

Fix auth for epics advanced search

Terri Churequested to merge
494629-fix-group-level-auth-filters into master

What does this MR do and why?

This MR refactors a few things:

  • refactor group level auth search (specifically used for group level work items that use namespace_visibility_level instead of project_visibility_level + feature access levels to control access)
    • use traversal_ids optimization to reduce number of groups being sent in ES queries
    • support access granted to shared group users
    • support access granted to users who are direct members of a project in the group hierarchy (see !183437 (comment 2382131654))
  • dev docs + specs updates

AI summary

This change introduces a new filter called by_search_level_and_group_membership to replace the older by_group_level_authorization filter in GitLab's advanced search functionality. The new filter improves how search permissions are handled when searching content that doesn't have a project ID field. It enhances the search experience by properly filtering results based on a user's group membership and visibility levels.

The implementation adds support for traversal IDs from authorized projects, which allows the system to correctly determine what content a user should be able to see in search results. The code also includes better handling of different search contexts (global, group-specific) and visibility levels (public, internal, private).

The changes include comprehensive test coverage for various user permission scenarios, ensuring that users only see search results they have permission to access. Documentation has been updated to explain when to use this new filter instead of other similar filters.

References

Please include cross links to any resources that are relevant to this MR. This will give reviewers and future readers helpful context to give an efficient review of the changes introduced.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

N/A

How to set up and validate locally

2025-03-07_14-21-088_permissions-test-public-group_export.tar.gz

  1. setup gdk for elasticsearch
  2. import the group attached above
  3. test search with users
    • user with guest role in private subgroup
    • user with planner role in private subgroup
    • user with no access in any of the group hierarchy
    • user with guest access to a private project in a private subgroup
    • anonymous user
    • admin user
  4. verify that you can see the records that the user should see
user/role namespace visibility non-confidential? confidential?
anonymous PUBLIC
anonymous INTERNAL
anonymous PRIVATE
logged in PUBLIC
logged in INTERNAL
logged in PRIVATE
GUEST PUBLIC
GUEST INTERNAL
GUEST PRIVATE
PLANNER+ PUBLIC
PLANNER+ INTERNAL
PLANNER+ PRIVATE
GUEST IN PROJECT PUBLIC
GUEST IN PROJECT INTERNAL
GUEST IN PROJECT PRIVATE

Related to #494629 (closed)

Edited by Terri Chu

Merge request reports