Commit 69401726 authored by James Lopez's avatar James Lopez

Merge branch '323573-limit-creating-top-level-groups' into 'master'

Add feature flag to block gitlab.com top-level group creation via api [RUN ALL RSPEC] [RUN AS-IF-FOSS]

See merge request gitlab-org/gitlab!56360
parents 71385691 852c41fe
...@@ -21,6 +21,14 @@ module EE ...@@ -21,6 +21,14 @@ module EE
::License.feature_available?(:export_user_permissions) ::License.feature_available?(:export_user_permissions)
end end
condition(:top_level_group_creation_enabled) do
if ::Gitlab.com?
::Feature.enabled?(:top_level_group_creation_enabled, type: :ops, default_enabled: true)
else
true
end
end
rule { ~anonymous & operations_dashboard_available }.enable :read_operations_dashboard rule { ~anonymous & operations_dashboard_available }.enable :read_operations_dashboard
rule { admin }.policy do rule { admin }.policy do
...@@ -46,6 +54,9 @@ module EE ...@@ -46,6 +54,9 @@ module EE
end end
rule { export_user_permissions_available & admin }.enable :export_user_permissions rule { export_user_permissions_available & admin }.enable :export_user_permissions
rule { can?(:create_group) }.enable :create_group_via_api
rule { ~top_level_group_creation_enabled }.prevent :create_group_via_api
end end
end end
end end
---
title: Add feature flag to block gitlab.com top-level group creation via api
merge_request: 56360
author:
type: added
---
name: top_level_group_creation_enabled
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/56360
rollout_issue_url:
milestone: '13.10'
type: ops
group: group::access
default_enabled: true
...@@ -49,6 +49,11 @@ module EE ...@@ -49,6 +49,11 @@ module EE
super super
end end
override :authorize_group_creation!
def authorize_group_creation!
authorize! :create_group_via_api
end
def check_audit_events_available!(group) def check_audit_events_available!(group)
forbidden! unless group.feature_available?(:audit_events) forbidden! unless group.feature_available?(:audit_events)
end end
......
...@@ -266,4 +266,48 @@ RSpec.describe GlobalPolicy do ...@@ -266,4 +266,48 @@ RSpec.describe GlobalPolicy do
it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) } it { is_expected.to(allowed ? be_allowed(policy) : be_disallowed(policy)) }
end end
end end
describe 'create_group_via_api' do
let(:policy) { :create_group_via_api }
context 'on .com' do
before do
allow(::Gitlab).to receive(:com?).and_return(true)
end
context 'when feature is enabled' do
before do
stub_feature_flags(top_level_group_creation_enabled: true)
end
it { is_expected.to be_allowed(policy) }
end
context 'when feature is disabled' do
before do
stub_feature_flags(top_level_group_creation_enabled: false)
end
it { is_expected.to be_disallowed(policy) }
end
end
context 'on self-managed' do
context 'when feature is enabled' do
before do
stub_feature_flags(top_level_group_creation_enabled: true)
end
it { is_expected.to be_allowed(policy) }
end
context 'when feature is disabled' do
before do
stub_feature_flags(top_level_group_creation_enabled: false)
end
it { is_expected.to be_allowed(policy) }
end
end
end
end end
...@@ -414,6 +414,100 @@ RSpec.describe API::Groups do ...@@ -414,6 +414,100 @@ RSpec.describe API::Groups do
end end
end end
end end
context 'when creating group on .com' do
before do
allow(::Gitlab).to receive(:com?).and_return(true)
end
context 'when top_level_group_creation_enabled feature flag is disabled' do
before do
stub_feature_flags(top_level_group_creation_enabled: false)
end
it 'does not create a top-level group' do
group = attributes_for_group_api
expect do
post api("/groups", admin), params: group
end.not_to change { Group.count }
expect(response).to have_gitlab_http_status(:forbidden)
end
it 'creates a subgroup' do
parent = create(:group)
parent.add_owner(admin)
expect do
post api("/groups", admin), params: { parent_id: parent.id, name: 'foo', path: 'foo' }
end.to change { Group.count }.by(1)
expect(response).to have_gitlab_http_status(:created)
end
end
context 'when top_level_group_creation_enabled feature flag is enabled' do
before do
stub_feature_flags(top_level_group_creation_enabled: true)
end
it 'creates a top-level group' do
group = attributes_for_group_api
expect do
post api("/groups", admin), params: group
end.to change { Group.count }
expect(response).to have_gitlab_http_status(:created)
end
end
end
context 'when creating group on self-managed' do
context 'when top_level_group_creation_enabled feature flag is disabled' do
before do
stub_feature_flags(top_level_group_creation_enabled: false)
end
it 'creates a top-level group' do
group = attributes_for_group_api
expect do
post api("/groups", admin), params: group
end.to change { Group.count }
expect(response).to have_gitlab_http_status(:created)
end
it 'creates a subgroup' do
parent = create(:group)
parent.add_owner(admin)
expect do
post api("/groups", admin), params: { parent_id: parent.id, name: 'foo', path: 'foo' }
end.to change { Group.count }.by(1)
expect(response).to have_gitlab_http_status(:created)
end
end
context 'when top_level_group_creation_enabled feature flag is enabled' do
before do
stub_feature_flags(top_level_group_creation_enabled: true)
end
it 'creates a top-level group' do
group = attributes_for_group_api
expect do
post api("/groups", admin), params: group
end.to change { Group.count }
expect(response).to have_gitlab_http_status(:created)
end
end
end
end end
describe 'POST /groups/:id/ldap_sync' do describe 'POST /groups/:id/ldap_sync' do
......
...@@ -137,6 +137,10 @@ module API ...@@ -137,6 +137,10 @@ module API
end end
end end
# rubocop: enable CodeReuse/ActiveRecord # rubocop: enable CodeReuse/ActiveRecord
def authorize_group_creation!
authorize! :create_group
end
end end
resource :groups do resource :groups do
...@@ -169,7 +173,7 @@ module API ...@@ -169,7 +173,7 @@ module API
if parent_group if parent_group
authorize! :create_subgroup, parent_group authorize! :create_subgroup, parent_group
else else
authorize! :create_group authorize_group_creation!
end end
group = create_group group = create_group
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment