Skip to content

Fix shared groups selection for inherited permissions

Vasilii Iakliushin requested to merge 350596_fix_shared_groups_verification_for_inherited_cases into master

What does this MR do and why?

Contributes to #350596 (closed)

Problem

We were verifying that the user had access to the shared group. However, it didn't work for cases when user has an indirect access to the shared group.

For example, Group A is a parent of the Shared Group B. We were returning shared group only when user was a member of the Shared group. But not in the case when user was a member of the Group A.

Solution

Additionally verify that the user has an access to the shared group through group inheritance.

Database

SELECT
    *
FROM
    "namespaces"
    INNER JOIN "project_group_links" ON "namespaces"."id" = "project_group_links"."group_id"
WHERE
    "namespaces"."type" = 'Group'
    AND "project_group_links"."project_id" = 278964
    AND (traversal_ids && ARRAY (
            SELECT
                "members"."source_id"
            FROM
                "members"
            LEFT OUTER JOIN "users" ON "users"."id" = "members"."user_id"
    WHERE
        "members"."type" = 'GroupMember'
        AND "members"."source_type" = 'Namespace'
        AND "users"."state" = 'active'
        AND "members"."requested_at" IS NULL
        AND "members"."invite_token" IS NULL
        AND (members.access_level > 5)
        AND "members"."user_id" = 1614863)::int[]);

https://console.postgres.ai/gitlab/gitlab-production-tunnel-pg12/sessions/8654/commands/30741

Screenshots or screen recordings

Before After (Group C is available)
Screenshot_2022-02-14_at_21.42.44 Screenshot_2022-02-14_at_21.43.06
Screenshot_2022-02-14_at_21.42.34 Screenshot_2022-02-14_at_21.43.16

How to set up and validate locally

  1. Create following structure
graph LR
    Group_A-->Group_B;
    Group_A-->Group_C;
    Group_B-->Project_P;
  1. Give user Developer permissions to Group_A and Project_P
  2. Share Group_C with Project_P
  3. Create merge request in Project_P
  4. Edit merge request
  5. Edit merge request and click on Approval rules
  6. Click Add approval rule button
  7. Click on Add approvers field
  8. Group_C should be available for the selection

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Vasilii Iakliushin

Merge request reports