Add two missing .root_ancestors

Miranda Fluhartyrequested to merge
578199-add-one-missing-root-ancestor into master

What does this MR do and why?

Add two missing .root_ancestors

Check the admin permission on the root ancestor so that
only top-level group owners/maintainers can manage attributes
Render 403 for page when user has no permission

References

I have a user named testuser who has owner-level permissions in one of the subgroups [...] I can still access the group's security configuration and attempt to create a category or attribute, which results in a permission issue error.

!210185 (comment 2853598549)

Screenshots or screen recordings

Before After

How to set up and validate locally

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #578199 (closed)

Edited by Miranda Fluharty

Merge request reports