Allow adding flows to projects with a group membership lock in place
What does this MR do and why?
Bypass group membership lock for service accounts
Users can now add service accounts with composite identity enforced to projects in groups which have the "Users cannot be added to projects in this group." setting enabled.
This fixes a bug where flows could not be added to projects with that setting enabled.
EE: true Changelog: fixed
References
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
- Go to Settings > General > Permissions and group features and enable "Users cannot be added to projects in this group." for your top level group (e.g.
gitlab-duo) - Go to http://gdk.test:8080/gitlab-duo/test/-/automate/flows and create a flow
- Go to http://gdk.test:8080/explore/ai-catalog/flows and add the flow to the
gitlab-duogroup - Go back to the project http://gdk.test:8080/gitlab-duo/test/-/automate/flows and add the flow to the project with the "Enable flow from group" button. This should work on this branch, but not master
- Try adding a regular user to the project. This should still fail. (the UI won't let you try this, run
Project.find(19).team.add_member(User.find_by_username("knejad2"), :reporter))
Alternative test:
- Create a new group and project
- Upgrade the group to ultimate with the GitLab Duo Enterprise add on, and enable the "Users cannot be added to projects in this group."
- Go to http://gdk.test:8080/groups//-/settings/gitlab_duo/configuration and enable the foundational flows.
- Confirm the foundational flow users were created and added to your group.
- Click the "Generate MR with Duo" button in an issue and confirm that it works.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Related to #577607
Edited by Keeyan Nejad