Only show 2FA badge to project maintainers and group owners
📖 What does this MR do?
Related to #24908 (closed)
Currently on the project/group members view the 2FA badge is shown to all users. This MR hides the 2FA badge for project members with less than "Maintainer" access and group members with less than "Owner" access.
📋 Summary of changes
- Pass
canManageMembers
from the Vuex store togenerateBadges
. The value ofcanManageMembers
is passed to the Vue application as a data attribute in app/helpers/groups/group_members_helper.rb#L30 and app/helpers/projects/project_members_helper.rb#L43. It is equal tocan?(current_user, :admin_group_member, group)
andcan?(current_user, :admin_project_member, project)
in rails. - Use that value in the
show
check for the 2FA badge definition. - Update relevant specs and add feature specs to cover this change
- Update permission tables in the docs
💻 Local testing
- Create a group
- Navigate to "Group" -> "Members" and use the form to add a user. Make note of that user's name
- Navigate to
/admin/users
, search for the user, click on the found user, and then click "Impersonate" - Navigate to
/-/profile/two_factor_auth
and use 1Password to setup 2FA - Stop impersonating the user and navigate back to "Group" -> "Members". The 2FA badge should show
- Add another user as a "Maintainer"
- Impersonate that user you just added as a "Maintainer" and navigate to "Group" -> "Members". The 2FA badge should not show.
The process for testing a project is the same but in step 6 add a "Developer" instead of a "Maintainer"
📷 Screenshots
Logged in user | Before | After |
---|---|---|
Group owner | ||
Group maintainer | ||
Group guest | ||
Project maintainer | ||
Project developer | ||
Project guest |
🚦 Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides - [-] Database guides
-
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers - [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Edited by Peter Hegman