Make file-based import respect group-level membership lock

James Nuttrequested to merge
jnutt/5592240-file-import-should-respect-group-limits into master

What does this MR do and why?

For EE, we can prevent direct members being added to projects. Project import doesn't currently respect this setting, and this MR updates the project import code to check the membership lock on an importable before creating the direct members.

Changelog: changed

References

https://gitlab.com/gitlab-org/gitlab/-/issues/559224

How to set up and validate locally

  1. Create a project and invite a direct member to it.
  2. Trigger a file-based export of that project.
  3. Create a group.
  4. Import the project into this group using an admin account/token1.
  5. The imported project should have two direct members:
    • You.
    • The user you invited in step 1.
  6. Go to the group settings (/groups/membership-demo-dest/-/edit#js-permissions-settings) and enable "Users cannot be added to projects in this group".
  7. Import the project using an admin account/token again.
  8. The project should have no direct memberships, only your inherited membership from the parent group.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

  1. Exported users are only taken into account when an admin token is used, so for imports performed by non-admin users, this MR doesn't make a difference.

Edited by James Nutt

Merge request reports