Implement access controls when SSO enforcement enabled
Description
In Issue https://gitlab.com/gitlab-org/gitlab-ee/issues/5291 we will be adding a group setting to enable SSO enforcement. Once this is done we will have to add various controls to restrict access to any group with SSO enforcement enabled.
Proposal
We need to add the following access controls and validations:
- Prevent non-SSO users being added to the group
- Prevent access to basic group resources by intercepting
find_routable!
- Prevent access to basic project resources via
find_routable!
We also need to consider the following:
- Ensure that controllers that don't user
find_routable!
orauthenticate_user!
still check SSO enforcement, but also check they still work rather than always blocking access - Access checks when looking up multiple groups/projects at once such as from the projects dashboard
When access is prevented the user should be redirected to the SSO page.
Edited by Liam McAndrew