Deny invitations to projects on SAML user management lock

What does this MR do and why?

Usually, admins, owners, and maintainers can create invitations for projects via the API. When memberships are locked to SAML, SAML is enabled for a group, and a SAML Group Sync exists, we deny the creation of an invitation for non-admins (owner and maintainer). This is similar to the API interface for group, where we deny the creation of invitations for non-admins (owner) when the above conditions are met.

References

• Resolves https://gitlab.com/gitlab-org/gitlab/-/issues/546378+

Screenshots or screen recordings

How to set up and validate locally

Enable SAML following the instructions here, and follow the reproduction steps here.

1. Enable group membership lock: https://docs.gitlab.com/user/group/saml_sso/group_sync/#lock-group-memberships
2. Enable Enable SAML authentication for this group in your root group
3. Create a SAML group sync for your root group under Settings -> SAML Group Links.

Try to create an invitation via the API by executing the following command. Use the maintainer user ID for the request.

curl --request POST --header "PRIVATE-TOKEN: XXX" --data "user_id=<USER-ID>&access_level=40" "http://localhost:3000/api/v4/projects/<SAML-PROJECT-ID>/invitations"

Receive a 403 status code successfully. 🎉

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.