Bypass organization check for personal namespace project creator

Smriti Gargrequested to merge
sgarg-588725-fix-invite-setting-blocks-creator into master

What does this MR do and why?

Bypass organization check for personal namespace project creator

When the 'disable_invite_members' setting is enabled, creating a project in a personal namespace fails to add the creator as owner because the same_org? check rejects users without an explicit organization_users record for the project's organization.

Override same_org? in Members::Projects::CreatorService to skip the organization membership check when the personal namespace holder is being added to their own project.

Solves #588725 (closed)

How to set up and validate locally

  1. Enable the setting In Rails console (rails c):
 License.current.update!(plan: 'ultimate')  # if not already ultimate
 stub = ApplicationSetting.current
 stub.update!(disable_invite_members: true)

Or via Admin UI: Admin > Settings > General > Sign-up restrictions > Prevent invitations to groups and projects

  1. Create a non-admin user (if needed)
  user = User.find_by(username: 'your_test_user')
  # Make sure they are NOT admin
  user.admin?  # should be false
  1. Test project creation in personal namespace

Sign in as the non-admin user, then create a new project under their personal namespace (not a group)

  1. Verify the creator was added as owner

    In Rails console:

 project = Project.find_by_full_path('your_test_user/your_project')
 project.members.map { |m| [m.user.username, m.access_level] }
 # Should show [["your_test_user", 50]]  (50 = OWNER)

Or check via the UI: go to the project > Manage > Members and confirm the creator is listed as Owner.

  1. Verify inviting others is still blocked Try inviting a different user to the project — it should fail with "not authorized to create member".

  2. Run the specs

  bundle exec rspec spec/services/members/projects/creator_service_spec.rb
  bundle exec rspec ee/spec/services/ee/members/projects/creator_service_spec.rb
  1. Verify the org check bypass specifically In Rails console, confirm the old error is gone:
  user = User.find_by(username: 'your_test_user')
  project = Project.find_by_full_path('your_test_user/your_project')
  user.organization_users.pluck(:organization_id)  # may be empty
  member = Members::Projects::CreatorService.add_member(project, user, :owner, current_user: user)
  member.persisted?        # should be true
  member.errors.full_messages  # should be empty

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Smriti Garg

Merge request reports