[AI Catalog] Restrict actions
What does this MR do and why?
Restricts AI Catalog action buttons for non-DAP (Duo Agent Platform) users on the Explore page when the ai_catalog_public_explore feature flag is enabled.
With this feature flag, logged-out and non-DAP users can now view the AI Catalog Explore page, but they should not be able to take actions they're not authorized for.
- MR 1: !230916 (merged) - adds feature flag, makes page accessible to all users
- MR 2 (this MR): !231096 - restricts actions to certain users
- MR 3: !231099 - renames policy from
read_ai_catalogtouse_ai_catalog
Action visibility on Explore page by user type
| User Type | New Button | Enable Button | Enable Modal | Duplicate/Menu | Recording |
|---|---|---|---|---|---|
| Admin | |||||
| DAP + Maintainer | |||||
| DAP + No Maintainer | |||||
| Non-DAP (logged in) | - | ||||
| Logged out | - |
DAP user = User with read_ai_catalog ability (has Premium/Ultimate license with DAP enabled)
Changes
- Push
readAiCatalogability to frontend from controller - Hide New agent/flow button for non-DAP users on global namespace
- Hide More actions dropdown (Duplicate) for non-DAP users on global namespace
- Show disabled Enable button with appropriate tooltip for non-DAP/logged-out users
These changes are behind the ai_catalog_public_explore feature flag.
Changelog: changed EE: true
References
Related to #595123
Screenshots or screen recordings
How to set up and validate locally
-
Enable SaaS mode and the feature flag in GDK:
echo 'export GITLAB_SIMULATE_SAAS=1' >> env.runit && gdk restart# In rails console Feature.enable(:ai_catalog_public_explore) -
Set up test users with different access levels (DAP + maintainer, DAP + no maintainer, non-DAP)
-
Visit
/explore/ai-catalog/agentswith each user type and verify the behavior matches the table above
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.