Use policies framework for determining admin access to groups
What does this MR do?
Uses the policies framework for determining administrators access to groups, so admin mode is applied.
Replaces the direct User#admin?
call on Group#max_member_access_for_user
by a new :admin_all_resources
policy that considers admin mode if enabled. Also adds a corresponding method User#can_admin_all_resources?
, similarly to the existing User#can_read_all_resources?
.
Previously we used the :read_all_resources
policy for such cases, but it does not work in this one since access is shared with auditors in EE and this has conflicting requirements with admins (e.g. auditors are not allowed to edit group or project settings). We might also want to consider modifying some other places where :read_all_resources
is used for admins in the future.
Related #207950
/cc @bufferoverflow
Screenshots (strongly suggested)
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers -
Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team