Add group setting to control whether guest users can view source code in private projects
What does this MR do?
This merge request adds a new setting at the group level, configuring whether guests should be able to see repository source code and merge requests. The default behaviour remains the same, with only reporters and higher being able to see source code.
It directly resolves #20277 (closed).
This merge request changes the behaviour of permissions, thus a member of security will need to review it.
Screenshots (strongly suggested)
The new setting under group settings:
I have also updated the relevant documentation:
Does this MR meet the acceptance criteria?
Conformity
-
I have included a changelog entry. -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Database guides -
Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. -
Tested in all supported browsers - Tested in Firefox, Edge and Chrome.
- Not tested in Chromium or Safari (the latter because I do not have a Mac that can access the dev environment easily).
-
Informed Infrastructure department of a default or new setting change, if applicable per definition of done - I'm assuming this is only applicable for new settings introduced at the infrastructure / admin level? And not new settings that are accessible to end users (which the documentation covers)?
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec- I can't modify the labels, and the bot is ignoring the command to add the security label. I will need someone with appropriate access to do this for me.
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team
Edited by June Rhodes