Implement backend for a read-only "Auditor" user

Merged Timothy Andrew requested to merge 1439-read-only-user into master

Tasks

  • PoC
    • Write a PoC
    • Write a small post describing the implementation strategy
    • Get strategy vetted
  • Backend
    • Auditor should be able to access all projects / groups
    • Restrictions
      • Cannot commit
      • Cannot access admin area
      • Can read issues / MRs
      • Cannot create / comment on issues / MRs
      • Can read all files in the repository
      • Cannot create/modify files from the Web UI
      • Cannot merge a merge request
      • Cannot fork a project
      • Cannot create a project
      • Cannot access project settings
      • Cannot create project snippets
      • Can read project snippets
      • Cannot access group settings
      • Can access projects that are:
        • Private
        • Public
        • Internal
    • Verify that no accessible pages are breaking
    • Does the migration need downtime?
    • Auditor's dashboard should display all projects
    • External users?
    • Read-only API access
    • Do we need to add an auditor check anywhere else? Finders?
  • Tests
    • Added
      • Policies
      • Finders
      • "user cannot be auditor and admin"
      • User cannot access admin area
      • User cannot access project settings
    • Passing
  • Refactoring
  • Meta
    • CHANGELOG entry created
    • Documentation created/updated
    • API support added
    • Branch has no merge conflicts with master
    • Squashed related commits together
    • Check for clean merge with EE
    • Added screenshots
  • Final sanity check
    • Merge requests
    • Issues
    • Project snippets
    • Snippets
    • Groups
    • Milestones (group/project)
    • Labels (group/project)
    • Pipelines
    • Repository
  • Review
    • Miniboss (@jameslopez)
      • Group creation should be blocked
      • Extract a admin_or_auditor method
      • create(:admin) instead of create(:user, :admin)
      • "group each logical step and separate the assigning part from the expectation" (snippets_finder_spec)
      • add more expectations here to make sure any write operation is excluded (group_policy_spec)
      • write a description to it (namespace_policy_spec)
      • make let(:owner_permissions) shorter (namespace_policy_spec)
      • use %i here, to save some colons and commas (project_policy_spec)
      • Improve group_projects_finder_spec
    • Endboss (@DouweM)
      • add_column_with_default needs a down block
      • View conditional tweak
      • Change doc version to 8.17 (typo)
      • Add auditor specs to spec/features/security
      • Retest migration
      • Make sure UI works okay after refactoring
      • Make sure CE backport branch merges cleanly (or no conflicts are from this feature) with EE MR branch
  • UI
    • User cannot be admin and auditor
    • Cleanup
      • Group show page shouldn't show the New Project button
  • Wait for merge