Use new auth filter in merge requests

Duo Developerrequested to merge
workloads/03e4e0a6858 into master

What does this MR do and why?

This MR introduces using the new query builder authorization filter to merge request search behind a FF.

Changes (generated by Duo)

  • Created feature flag search_advanced_merge_requests_new_auth_filter to enable new authorization filter for merge request searches
  • Updated MergeRequestQueryBuilder to conditionally use by_search_level_and_membership (new filter) when feature flag is enabled, or by_project_authorization (old filter) when disabled
  • Added comprehensive specs to test both feature flag enabled and disabled scenarios, ensuring proper filter selection and backward compatibility
  • Implemented gradual rollout mechanism for improved query performance while maintaining safe rollback capability

References

Relates to issue #491211

Screenshots or screen recordings

Before After

How to set up and validate locally

  1. enable elasticsearch in gdk
  2. perform searches at global, group, and project level for * (note how many merge requests you get)
  3. enable the FF search_advanced_merge_requests_new_auth_filter
  4. perform the same searches, make sure the numbers match
  5. repeat with a non-admin user
  6. repeat with an anonymous user

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Terri Chu

Merge request reports