Add cross project read permission check in search
What does this MR do and why?
Found while working on !193188 (merged) and decided to split the changes out of it.
Note: by_search_level_and_membership handles project level permission checks for searches. by_search_level_and_group_membership handles group. level permission checks for searches (and is only used for epics today). In the future, the methods will likely be combined.
This change adds a security restriction to GitLab's search functionality. When users don't have permission to read across different projects (a setting often used with external authorization systems), they are now blocked from performing global searches and group-level searches. Instead of returning search results they shouldn't see, the system now returns no results at all for these restricted users. The change includes test files to verify this new behavior works correctly in different scenarios.
References
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
- enable advanced search in gdk - admin - search
- somehow turn off cross project read capability for a user
- perform a global search
- you should not get any results
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.