Zoekt search support group and shared group access
What does this MR do and why?
This MR introduces traversal_ids support in exact code search for:
- access at group level
- access at group level through a shared group
NOTE: this does not support for access with a custom role, that will be handled in a separate MR
AI Summary
This code refactors the search authorization system to improve how user permissions are handled when searching through code repositories. The main changes include:
Simplified Authorization Logic: The code removes complex, deprecated methods for checking user permissions and replaces them with cleaner, more maintainable approaches. It eliminates redundant code that was checking the same permissions in multiple ways.
Better Caching: The system now uses request-level caching to store user authorization data, which should improve performance by avoiding repeated database queries for the same user's permissions during a single request.
New Access Branch Builder: A new component called AccessBranchBuilder was created to handle the complex logic of determining what repositories a user can access based on their permissions. This separates concerns and makes the code more organized.
Improved Permission Filtering: The code now handles different visibility levels (public, internal, private) more systematically, creating specific "branches" of access rules for each type. This makes it clearer what content users can see based on their access levels.
Updated Test Fixtures: The test data was updated to reflect the new structure, showing how the permission filters are now organized differently but achieve the same security goals.
Overall, this refactoring maintains the same security behavior while making the code more efficient, easier to understand, and better organized for future maintenance.
References
- Related to Support group access for zoekt traversal ids (#557409 - closed)
- Work broken up into 3 MRs
- code re-organization - !202287 (merged)
-
⭐ group access and shared group access support - !201019 (merged) - custom role
:read_codeaccess support - !202293 (merged)
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
- enable zoekt in gdk
- create a non-admin user
- setup a few test groups/projects
- private group:
Private Group ORANGE- private project:
Private Project ORANGE
- private project:
- public group:
Public Group PURPLE- private project:
Private Project PURPLE - public project:
Public Project PURPLE- feature_access_level: Team members only
- private project:
- private group:
Private Shared Group, give userREPORTERrole access to this group
- test the following situations by logging in with the non-admin user and running searches at global/group level
- I searched for
PURPLE or ORANGEusing regex search
Remove the user from all groups before testing the next situation. The user should be able only see records from
| Grant access to Group | Who has access? | What Role? | Private Project ORANGE |
Private Project PURPLE |
Public Project PURPLE |
|---|---|---|---|---|---|
Private Group ORANGE |
user | GUEST |
|||
Private Group ORANGE |
user | REPORTER |
|||
Public Group PURPLE |
user | GUEST |
|||
Public Group PURPLE |
user | REPORTER |
|||
Private Group ORANGE |
Private Shared Group |
GUEST |
|||
Private Group ORANGE |
Private Shared Group |
REPORTER |
|||
Public Group PURPLE |
Private Shared Group |
GUEST |
|||
Public Group PURPLE |
Private Shared Group |
REPORTER |
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.