Draft: Add role-based permission check for foreground execution in project scope
What does this MR do and why?
Adds a role-based permission check to ProjectPolicy for foreground execution of Agentic Chat (WebUI and IDE) in a Project context.
References
Screenshots or screen recordings
| IDE | WebUI | |
|---|---|---|
| User doesn't meet the minimum role for foreground execution |
|
|
| User meets the minimum role for foreground execution |
|
|
Feature flags
- GitLab.com:
Feature.enable(:dap_group_customizable_permissions, <top_level_group>) - Self-managed:
Feature.enable(:dap_instance_customizable_permissions)
How to set up and validate locally
WebUI testing steps
- Checkout this branch
- Start GDK
- Using a group and project with DAP enabled, such as http://gdk.test:3000/gitlab-duo
-
Update the configurable minimum access level for foreground execution
group = Group.find 1000000 group.ai_settings.update!(minimum_access_level_execute: ::Gitlab::Access::DEVELOPER) -
Sign in as a user with Guest, Planner, or Reporter
-
Navigate to the project page, such as http://gdk.test:3000/gitlab-duo/test
-
Verify that the user only has access to Duo Chat (classic), Agentic Chat is disabled
-
Repeat step 3, this time lowering the minimum access level, e.g.
group.ai_settings.update!(minimum_access_level_execute: ::Gitlab::Access::GUEST) -
Verify that the same user still has access to Duo Chat (classic), and Agentic Chat is enabled
-
-
IDE testing steps
- Set up Duo Agent Platform in your local IDE
- Checkout this branch
- Open your IDE with the
gitlab-duo/testproject - Follow step 3 from WebUI testing steps
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.