Prevent transfers involving archived groups and projects

Abdul Wadoodrequested to merge
567161-prevent-transfer-when-archived into master

What does this MR do and why?

Add authorization controls to prevent transferring projects or groups to/from archived groups. Introduce a new 'change_group' permission that is disabled for archived groups, replacing the broader 'admin_group' permission for transfer operations.

Update GroupsController, API endpoints, and transfer service to use the new 'authorize_change_group!' method. Add 'change_namespace' to archived abilities to ensure consistent permission handling across the namespace hierarchy.

References

Screenshots or screen recordings

Before After
image image

How to set up and validate locally

  1. Enable the feature flag in the Rails console: Feature.enable :archive_group
  2. Create a new group and go to Settings -> General -> Advanced.
  3. There's an option to transfer the group.
  4. Now archive the group, and the option to transfer the group is now hidden.
  5. Repeat steps 2-4 for a new project.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #567161 (closed)

Merge request reports