Fix search auth for inherited group membership

Terri Churequested to merge
580918-fix-sub-group-project-invites-for-search into master

What does this MR do and why?

This MR fixes a bug with project search when user is granted access in a shared group where they have inherited access. I've included the documentation in references on how shared group access to projects work when the user access is inherited. For group-project sharing, all members (direct and inherited) are shared.

NOTE: The implementation differs for group-group sharing, where only direct members are shared. Group membership through shared inheritance is not supported

AI Summary

This change expands how the system finds projects that users can access through group memberships. Previously, it only looked for projects shared directly with groups the user belonged to. Now it also includes projects shared with any child groups (subgroups) of those groups, creating a hierarchical access system where parent group membership grants access to projects shared with descendant groups.

The tests were updated to verify both scenarios work correctly - direct group sharing and inheritance through parent-child group relationships. The change also maintains existing security by still respecting expiration dates on project sharing links.

References

Screenshots or screen recordings

Before After

How to set up and validate locally

Setup groups and projects

  • Group 1 (top level) - Sub Group 1
  • Group 2 - Project 2

Setup access

  • Assign a non-root user as owner of Group 1
  • Invite Sub Group 1 as Reporter to Group 2

Verify the fix

  • enable elasticsearch for gdk
  • login as the user from above
  • perform project level searches in Project 2
  • user should see results

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Terri Chu

Merge request reports