Skip to content

Draft: Restrict Access to Groups and Projects to Active Memberships

Jason Goodman requested to merge pending-group-member-access into master

What does this MR do and why?

Treat users with pending group or project memberships as if they are not members for permissions purposes.

Also do not count pending members as billable.

Issue: #332598 (closed) and also #345694 (closed)

How to set up and validate locally

  • Enable the :saas_user_caps feature flag for a root group. (Alternatively, enable it globally, but this feature will be selectively enabled for specific root groups.)
[3] pry(main)> Feature.enable(:saas_user_caps, group)
  • Edit the Gitlab.com? method to return true. This feature will only be available on gitlab.com.
diff --git a/lib/gitlab.rb b/lib/gitlab.rb
index 2449554d3c0..b7096cab3af 100644
--- a/lib/gitlab.rb
+++ b/lib/gitlab.rb
@@ -52,6 +52,7 @@ def self.revision
   def self.com?
     # Check `gl_subdomain?` as well to keep parity with gitlab.com
     Gitlab.config.gitlab.url == Gitlab::Saas.com_url || gl_subdomain?
+    true
   end
 
   def self.com
  • Open your group's Settings > General page.
  • Open Permissions and group features.
  • Scroll down to the User cap field and enter a value equal to the number of billable members for your group. Click Save Changes. (An easy way to get the current number of billable members is with group.billable_members_count in the rails console.)

UserCap

  • Go to the group's Group information > Members page. Invite a new member to the group. (Make sure the member is not already a billable member somewhere in the hierarchy, or the group member will have an active membership - we want to test the permissions for a pending membership.)

Screen_Shot_2022-01-26_at_1.09.35_PM

  • Note the new member has a pending membership.

Screen_Shot_2022-01-26_at_1.10.44_PM

  • Log in as the new member and test that your permissions are just as if you are not a member in the group. For a private group, for instance, you should get a 404 when you try to visit the group url.

Screen_Shot_2022-01-26_at_1.14.25_PM

  • Refind your group and check that the billable_members_count has not increased. (The group must be found again as billable_members_count uses memoization that must be cleared)
[9] pry(main)> Group.find(156).billable_members_count

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Jason Goodman

Merge request reports