Resolve "Shift option to prevent users from creating groups to Instance Admin UI"
What does this MR do and why?
Currently the can_create_group
setting is being set via the configuration file gitlab.yml
: Docs.
This setting controls whether new users being created in a GitLab instance can create top-level groups or not. (Users inherit the value of this global setting upon creation to User#can_create_group attribute)
The requirement in #367754 (closed) is to make this setting available in ApplicationSetting
, so that an Admin can control this setting via the UI/API and does not have to change the value in the gitlab.yml
file anymore. Moving this setting to ApplicationSetting
would also mean that GitLab admins won't have to restart the instance for the change to take effect.
This MR tries to achieve this change in a non-breaking manner. To achieve this, this MR does the following:
- A migration to create a new column
can_create_group
inApplicationSetting table
. - Another migration that copies over the current value of
default_can_create_group
from the configuration file to the newcan_create_group
column inApplicationSetting
table.
- changes to both read and update this new column via the admin UI (
/admin/application_settings/general
, underAccount and limit
) and the Application Settings API (GET /application/settings
andPUT /application/settings
). - changes to stop reading the this setting value from GitLab config and instead to start reading it from
Gitlab::CurrentSettings
- updates to docs to say that from GitLab 15.5 onwards, the
can_create_group
setting can only be controlled via the ApplicationSetting UI or API. - updates to include the
can_create_group
setting the ApplicationSetting API docs.
Output of migrations
UP migration
rake db:migrate
main: == 20220901090004 AddCanCreateGroupToApplicationSettings: migrating ===========
main: -- add_column(:application_settings, :can_create_group, :boolean, {:default=>true, :null=>false})
main: -> 0.0036s
main: == 20220901090004 AddCanCreateGroupToApplicationSettings: migrated (0.0042s) ==
main: == 20220901092853 UpdateCanCreateGroupApplicationSetting: migrating ===========
main: -- execute("UPDATE application_settings SET can_create_group = true")
main: -> 0.0019s
main: == 20220901092853 UpdateCanCreateGroupApplicationSetting: migrated (0.0020s) ==
ci: == 20220901090004 AddCanCreateGroupToApplicationSettings: migrating ===========
ci: -- add_column(:application_settings, :can_create_group, :boolean, {:default=>true, :null=>false})
ci: -> 0.0046s
ci: == 20220901090004 AddCanCreateGroupToApplicationSettings: migrated (0.0047s) ==
ci: == 20220901092853 UpdateCanCreateGroupApplicationSetting: migrating ===========
ci: -- The migration is skipped since it modifies the schemas: [:gitlab_main].
ci: -- This database can only apply migrations in one of the following schemas: [:gitlab_ci, :gitlab_shared, :gitlab_internal].
ci: == 20220901092853 UpdateCanCreateGroupApplicationSetting: migrated (0.0005s) ==
DOWN migration
rake db:rollback:main STEP=2
main: == 20220901092853 UpdateCanCreateGroupApplicationSetting: reverting ===========
main: -- execute("UPDATE application_settings SET can_create_group = true")
main: -> 0.0029s
main: == 20220901092853 UpdateCanCreateGroupApplicationSetting: reverted (0.0039s) ==
main: == 20220901090004 AddCanCreateGroupToApplicationSettings: reverting ===========
main: -- remove_column(:application_settings, :can_create_group, :boolean, {:default=>true, :null=>false})
main: -> 0.0030s
main: == 20220901090004 AddCanCreateGroupToApplicationSettings: reverted (0.0048s) ==
rake db:rollback:ci STEP=2
ci: == 20220901092853 UpdateCanCreateGroupApplicationSetting: reverting ===========
ci: -- The migration is skipped since it modifies the schemas: [:gitlab_main].
ci: -- This database can only apply migrations in one of the following schemas: [:gitlab_ci, :gitlab_shared, :gitlab_internal].
ci: == 20220901092853 UpdateCanCreateGroupApplicationSetting: reverted (0.0001s) ==
ci: == 20220901090004 AddCanCreateGroupToApplicationSettings: reverting ===========
ci: -- remove_column(:application_settings, :can_create_group, :boolean, {:default=>true, :null=>false})
ci: -> 0.0099s
ci: == 20220901090004 AddCanCreateGroupToApplicationSettings: reverted (0.0131s) ==
Screenshots or screen recordings
/admin/application_settings/general
, under Account and limit
)
New setting showing up in the Admin UI (
How to set up and validate locally
- Before pulling this branch, setup the value of the setting
default_can_create_group
in your gitlab.yml as per the docs. This value istrue
by default, so any new user in the instance will be able to create groups. Set this value tofalse
for verification. - Pull the branch, and run the migrations.
- Verify that the value of
Gitlab::CurrentSettings.can_create_group
is nowfalse
- Try to register as a new user via
/users/sign_up
- Login as this new user, and you can see that you will not be able to create a new top-level group.
- In a different window, login as
admin
and update the value ofdefault_can_create_group
via the admin UI or the API totrue
- In the other window, register again as this new user, login as new user and they should be able to create new groups.
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Related to #367754 (closed)