Skip to content

Draft: Make project import level configurable

Carla Drago requested to merge 358750-make-project-import-configurable into master

This adds the ability for admins to select which access level is required to import projects into a group. The setting will be stored in the namespace_settings DB table on the project_import_level column. The setting will be an access_level value of Owner (50), Maintainer(40), Developer(30), or No One(0) The default setting is Owner(50), and set on the DB schema level. In order to have permission to import projects into a group namespace, the user's group membership access_level will need to equal or exceed the group project_import_level.

Things to be aware of: Previously a project_creation_level group setting was used to assess import permissions. While the project_creation_level setting is still used to assess a user's project creation permissions, this setting is no longer used to asses project import access. They are treated completely separately.

As this is a breaking change for any existing Groups where Maintainer or Developer users have previously been able to import projects, we have created a background migration to align the Group's project_import_level with the existing project_creation_level. Moving forward (once this change is deployed) any change to the default project_import_level can be done by an admin user in the Group settings.

There are frontend changes required to make this usable on the "Import an exported GitLab project" page. It can currently be tested in the UI, however, on the "Import Project (Repository by URL)" page.

Screenshots or screen recordings

project_import_level_-10MB

How to set up and validate locally

  1. Pull and check out into the branch.
  2. run gdk restart just to make sure the branch changes are running locally
  3. log into the UI http://gdk.test:3000
  4. If you don't already have an additional User created, create one at Menu > Admin > Users > New User.
  5. Add this User as a member to any Group by visiting the Group page > Group Information > Members > Invite Members.
  6. Make sure their "Max role" is set as Developer.
  7. Visit the Group's Settings > General > Permissions Group Features > Expand.
  8. Scroll down to the dropdown titled "Roles allowed to import projects"
  9. Ensure "Owners" is selected here.
  10. Above this, in the dropdown titled "Roles allowed to create projects", ensure "Maintainers" is selected.

In a completely different browser:

  1. log into the UI http://gdk.test:3000
  2. Visit Menu > Admin > Users
  3. Visit the user page for the User added as a member above ^^
  4. Click the Impersonate UI button so that you will be logged in as that User in that browser.
  5. visit Menu > Projects > Create new project > Import Project > Repository by URL.
  6. Observe that the Group this member was added to as a Developer is not visible in the Project URL dropdown.

In the other/admin browser:

  1. Visit the Group > Settings > General > Permissions > Group Features > Expand.
  2. Scroll down to the dropdown titled "Roles allowed to import projects"
  3. Select "Developer and above" from the dropdown menu, then save the changes.

In the impersonation browser:

  1. Visit the user page for the User added as a member above ^^
  2. Click the Impersonate UI button so that you will be logged in as that User in that browser.
  3. visit Menu > Projects > Create new project > Import Project > Repository by URL.
  4. Observe that the Group this member was added to as a Developer is visible in the Project URL dropdown.
  5. Observe that it is possible to select the Group as a destination.
  6. Visit Menu > Projects > Create new project > Create blank project.
  7. Observe the Group is not visible in the Project URL dropdown.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #358750 (closed)

Edited by Carla Drago

Merge request reports