Filter group template projects by user visibility and membership

Joe Woodwardrequested to merge
jwoodwardgl-fix-group-templates-finder into master

What does this MR do and why?

Filter group template projects by user visibility and membership

templates_available? lacked a nil-user guard, causing NoMethodError for unauthenticated callers. The execute query chain also omitted a visibility scope, so private template projects were surfaced to users who weren't project members, and the template picker showed templates from groups the user had no access to.

Add user && guard to templates_available? and chain .public_or_visible_to_user(user) onto the execute query so that public and internal templates are visible to any authenticated user while private templates are restricted to project members.

Resolves #601253 (closed)

Changelog: fixed EE: true

Query Plan

https://console.postgres.ai/gitlab/gitlab-production-main/sessions/52064/commands/153369

How to set up and validate locally

Test Setup

Groups required:

  • root-group (Public, Developers can create projects)
    • project-templates-group subgroup (Public) — configured as the custom templates group
      • public-template project (Public)
      • internal-template project (Internal)
      • private-template project (Private)
    • sub-group subgroup (Public, Developers can create projects) — where the developer creates projects
      • project-templates-group subgroup (Public) - configured as the custom templates group for the sub-group
        • public-template project (Public)
        • internal-template project (Internal)
        • private-template project (Private)

Users required:

  • root-developer — Developer of the root group
  • subgroup-developer — Developer of sub-group only (not a root group member)

What to test

While attempting to create a project within the sub-group:

  1. with subgroup-developer you should see all sub-group templates and the public and internal root-group templates image
  2. with root-developer you should see all root-group and sub-group templates image

Set the groups to private (all projects and template groups also need to be set to private, can also delete public/internal projects if you prefer)

  1. with subgroup-developer you should see all sub-group templates and none of the root-group templates image
  2. with root-developer you should see all root-group and sub-group templates image
Edited by Joe Woodward

Merge request reports