Fix project creation permissions for users in shared groups

Shane Maglangitrequested to merge
411294-fix-group-project-creation-permission-inheritance into master

What does this MR do and why?

Fix project creation permissions for users in shared groups

Users were unable to create projects when:

  1. User belongs to a group with project creation disabled
  2. A group with project creation enabled is shared with the first group

The shared group's project creation settings should take precedence over the source group's restrictions, allowing users to create projects in the target group regardless of their source group's limitations.

This is resolved by fixing a logical bug on how we derive the user's permission to select a namespace.

Changelog: fixed

References

Related to #411294 (closed)

Screenshots or screen recordings

Before After
image image

How to set up and validate locally

  1. Start with a fresh user, without access to any other groups or namespaces
  2. Create Group Developers
  3. Configure Group Developers with Roles allowed to create projects = "No One"
  4. Assign user Danny Developer to this group with Developer access
  5. Create and configure another group Projects with Roles allowed to create projects = "Developers + Maintainers"
  6. Invite group Developers to Projects with Developer access.
  7. Log in as Danny Developer, and click on the "Create new project" button

Before: The namespace dropdown is disabled. By default it would pre-select the user's namespace.

After: The namespace dropdown is enabled. The user can select either their own namespace or the Projects namespace.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Shane Maglangit

Merge request reports