Prevent read access to projects and groups when banned
What does this MR do and why?
Part of the epics (here and here) to ban users on root namespace level from all subgroups and projects, this adds a service to ban users and policies to enforce the ban.
Issue: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/41
How to set up and validate locally
- Enable the feature flag
Feature.enable(:limit_unique_project_downloads_per_namespace_user)
- Ban a user from a root namespace
Users::Abuse::NamespaceBans::CreateService.new(namespace: root_namespace, user: user).execute
- Verify the user does not have access to the namespace, any subgroups and projects contained in them
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Alex Buijs