Resolve "Shift option to prevent users from creating groups to Instance Admin UI" (!96746) · Merge requests · GitLab.org / GitLab

Manoj M J [PTO - Back on 17th June] requested to merge 367754-shift-option-to-prevent-users-from-creating-groups-to-instance-admin-ui into master Sep 01, 2022

What does this MR do and why?

Currently the can_create_group setting is being set via the configuration file gitlab.yml: Docs.

This setting controls whether new users being created in a GitLab instance can create top-level groups or not. (Users inherit the value of this global setting upon creation to User#can_create_group attribute)

The requirement in #367754 (closed) is to make this setting available in ApplicationSetting, so that an Admin can control this setting via the UI/API and does not have to change the value in the gitlab.yml file anymore. Moving this setting to ApplicationSetting would also mean that GitLab admins won't have to restart the instance for the change to take effect.

This MR tries to achieve this change in a non-breaking manner. To achieve this, this MR does the following:

database

A migration to create a new column can_create_group in ApplicationSetting table.
Another migration that copies over the current value of default_can_create_group from the configuration file to the new can_create_group column in ApplicationSetting table.

backend

changes to both read and update this new column via the admin UI (/admin/application_settings/general, under Account and limit) and the Application Settings API (GET /application/settings and PUT /application/settings).
changes to stop reading the this setting value from GitLab config and instead to start reading it from Gitlab::CurrentSettings

documentation

updates to docs to say that from GitLab 15.5 onwards, the can_create_group setting can only be controlled via the ApplicationSetting UI or API.
updates to include the can_create_group setting the ApplicationSetting API docs.

Output of migrations

UP migration

rake db:migrate

main: == 20220901090004 AddCanCreateGroupToApplicationSettings: migrating ===========
main: -- add_column(:application_settings, :can_create_group, :boolean, {:default=>true, :null=>false})
main:    -> 0.0036s
main: == 20220901090004 AddCanCreateGroupToApplicationSettings: migrated (0.0042s) ==

main: == 20220901092853 UpdateCanCreateGroupApplicationSetting: migrating ===========
main: -- execute("UPDATE application_settings SET can_create_group = true")
main:    -> 0.0019s
main: == 20220901092853 UpdateCanCreateGroupApplicationSetting: migrated (0.0020s) ==

ci: == 20220901090004 AddCanCreateGroupToApplicationSettings: migrating ===========
ci: -- add_column(:application_settings, :can_create_group, :boolean, {:default=>true, :null=>false})
ci:    -> 0.0046s
ci: == 20220901090004 AddCanCreateGroupToApplicationSettings: migrated (0.0047s) ==

ci: == 20220901092853 UpdateCanCreateGroupApplicationSetting: migrating ===========
ci: -- The migration is skipped since it modifies the schemas: [:gitlab_main].
ci: -- This database can only apply migrations in one of the following schemas: [:gitlab_ci, :gitlab_shared, :gitlab_internal].
ci: == 20220901092853 UpdateCanCreateGroupApplicationSetting: migrated (0.0005s) ==

DOWN migration

rake db:rollback:main STEP=2

main: == 20220901092853 UpdateCanCreateGroupApplicationSetting: reverting ===========
main: -- execute("UPDATE application_settings SET can_create_group = true")
main:    -> 0.0029s
main: == 20220901092853 UpdateCanCreateGroupApplicationSetting: reverted (0.0039s) ==

main: == 20220901090004 AddCanCreateGroupToApplicationSettings: reverting ===========
main: -- remove_column(:application_settings, :can_create_group, :boolean, {:default=>true, :null=>false})
main:    -> 0.0030s
main: == 20220901090004 AddCanCreateGroupToApplicationSettings: reverted (0.0048s) ==

rake db:rollback:ci STEP=2

ci: == 20220901092853 UpdateCanCreateGroupApplicationSetting: reverting ===========
ci: -- The migration is skipped since it modifies the schemas: [:gitlab_main].
ci: -- This database can only apply migrations in one of the following schemas: [:gitlab_ci, :gitlab_shared, :gitlab_internal].
ci: == 20220901092853 UpdateCanCreateGroupApplicationSetting: reverted (0.0001s) ==

ci: == 20220901090004 AddCanCreateGroupToApplicationSettings: reverting ===========
ci: -- remove_column(:application_settings, :can_create_group, :boolean, {:default=>true, :null=>false})
ci:    -> 0.0099s
ci: == 20220901090004 AddCanCreateGroupToApplicationSettings: reverted (0.0131s) ==

Screenshots or screen recordings

New setting showing up in the Admin UI (`/admin/application_settings/general`, under `Account and limit`)

How to set up and validate locally

Before pulling this branch, setup the value of the setting default_can_create_group in your gitlab.yml as per the docs. This value is true by default, so any new user in the instance will be able to create groups. Set this value to false for verification.
Pull the branch, and run the migrations.
Verify that the value of Gitlab::CurrentSettings.can_create_group is now false
Try to register as a new user via /users/sign_up
Login as this new user, and you can see that you will not be able to create a new top-level group.
In a different window, login as admin and update the value of default_can_create_group via the admin UI or the API to true
In the other window, register again as this new user, login as new user and they should be able to create new groups.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Related to #367754 (closed)

Edited Sep 22, 2022 by Manoj M J [PTO - Back on 17th June]

Resolve "Shift option to prevent users from creating groups to Instance Admin UI"