Fixes duo chat visible if user does not have permission
What does this MR do and why?
Since duo_chat does not have an entry in the UserAuthorizable THROUGH_NAMESPACE_ACCESS_FEATURE_MAP, it doesn't employ namespace checks. in GitLab UI, we use :chat, but on IDEs we use :duo_chat. We also need to take preventive manners to avoid this, but that will not be part of this follow up.
How to set up and validate locally
- Set GDK to SaaS mode
- Ensure that
duo_access_through_namespacesfeature flag is enabled - Setup gitlab-duo project
- Create a groups
duo-usersas direct child ofgitlab-duo - Create a user user1, add them to
gitlab-duo,gitlab-duo/duo-usersand set their default namespace togitlab-duo. - Create a user user2, add them to
gitlab-duo, set their default namespace togitlab-duo(Do not add user2 togitlab-duo/duo-users - On rails console (
GITLAB_SIMULATE_SAAS=1 gdk rails c) - create a rule gitlab-duo thatduo_users/gitlab-duohave access to duo_classic
::Ai::NamespaceFeatureAccessRule.create!(
root_namespace_id: 1000000,
through_namespace_id: 103, # your duo_agentic_users group id
accessible_entity: 'duo_classic'
)- On rails console, test out allowed_to_use_through_namespace
::Ai::NamespaceFeatureAccessRule.create!(
root_namespace_id: 1000000,
through_namespace_id: 103, # your duo_agentic_users group id
accessible_entity: 'duo_agent_platform'
)- Login as user1, the following graphql request should be duoChatAvailable as true:
query chatAvailable {
currentUser {
duoChatAvailable
}
}- Login as user2, the following graphql request should be duoChatAvailable as false:
query chatAvailable {
currentUser {
duoChatAvailable
}
}- on
GITLAB_SIMULATE_SAAS=1 gdk rails c:
user1.allowed_to_use?(:duo_chat) # true
user2.allowed_to_use?(:duo_chat) # falseMR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #587150 (closed)
Edited by Eduardo Bonet