Make allowed_to_use namespace aware
What does this MR do and why?
Prevously Check if user is allowed to use Agentic Chat in... (!217227 - merged) • Alejandro Rodríguez • 18.9 added a more strict check within the policy check, to ensure resource (group/project) matches with the Duo add-on purchase's namespaces. However its implementation favors Duo Pro, when user is associated with both Duo Pro and Duo Core, thus when the user visits Duo Core namespaces, the namespace id will not match Duo Pro's namespace id list, thus disabling agentic chat.
The policy change involves allowed_to_use method. This MR makes allowed_to_use to be namespace-aware. If Duo Pro purchases' namespaces do not match the resource, it will instead check Duo Core purchases' namespaces. This exposes Duo Core permission when user visits Duo Core namespace.
References
Screenshots or screen recordings
| Before | After |
|---|---|
|
|
How to set up and validate locally
- Enable feature flag
duo_namespace_ids_from_all_addons - Choose an user belonging to 2 namespaces, one with Duo Pro seats, one with Duo Core.
- Remove the user's default namespace:
user.user_preference.update(duo_default_namespace_id: nil) - Visit the Duo Core namespace and open classic chat
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #587304 (closed)