Merge branch 'if-238165-fix_project_create_authorization_for_admin' into 'master'

Projects::CreateService to consider only group membership for admin

See merge request gitlab-org/gitlab!42335

app/models/group.rb

@@ -410,10 +410,17 @@ class Group < Namespace
       .where(namespaces: { id: self_and_descendants.select(:id) })
   end
 
-  def max_member_access_for_user(user)
+  # Return the highest access level for a user
+  #
+  # A special case is handled here when the user is a GitLab admin
+  # which implies it has "OWNER" access everywhere, but should not
+  # officially appear as a member of a group unless specifically added to it
+  #
+  # @param user [User]
+  # @param only_concrete_membership [Bool] whether require admin concrete membership status
+  def max_member_access_for_user(user, only_concrete_membership: false)
     return GroupMember::NO_ACCESS unless user
-
-    return GroupMember::OWNER if user.admin?
+    return GroupMember::OWNER if user.admin? && !only_concrete_membership
 
     max_member_access = members_with_parents.where(user_id: user)
                                             .reorder(access_level: :desc)

app/services/projects/create_service.rb

@@ -114,8 +114,13 @@ module Projects
     # completes), and any other affected users in the background
     def setup_authorizations
       if @project.group
+        group_access_level = @project.group.max_member_access_for_user(current_user,
+                                                                       only_concrete_membership: true)
+
+        if group_access_level > GroupMember::NO_ACCESS
           current_user.project_authorizations.create!(project: @project,
-                                                    access_level: @project.group.max_member_access_for_user(current_user))
+                                                      access_level: group_access_level)
+        end
 
         if Feature.enabled?(:specialized_project_authorization_workers)
           AuthorizedProjectUpdate::ProjectCreateWorker.perform_async(@project.id)

changelogs/unreleased/238165-fix_project_create_authorization_for_admin.yml

+---
+title: Do not add admins as owners to project authorizations during project creation
+merge_request: 42335
+author:
+type: fixed

spec/models/group_spec.rb

@@ -653,6 +653,19 @@ RSpec.describe Group do
         expect(shared_group.max_member_access_for_user(user)).to eq(Gitlab::Access::MAINTAINER)
       end
     end
+
+    context 'evaluating admin access level' do
+      let_it_be(:admin) { create(:admin) }
+
+      it 'returns OWNER by default' do
+        expect(group.max_member_access_for_user(admin)).to eq(Gitlab::Access::OWNER)
+      end
+
+      it 'returns NO_ACCESS when only concrete membership should be considered' do
+        expect(group.max_member_access_for_user(admin, only_concrete_membership: true))
+          .to eq(Gitlab::Access::NO_ACCESS)
+      end
+    end
   end
 
   describe '#members_with_parents' do

spec/requests/api/projects_spec.rb

@@ -490,6 +490,25 @@ RSpec.describe API::Projects do
           expect(json_response.first['name']).to eq(project4.name)
           expect(json_response.first['owner']['username']).to eq(user4.username)
         end
+
+        context 'when admin creates a project' do
+          before do
+            group = create(:group)
+            project_create_opts = {
+              name: 'GitLab',
+              namespace_id: group.id
+            }
+
+            Projects::CreateService.new(admin, project_create_opts).execute
+          end
+
+          it 'does not list as owned project for admin' do
+            get api('/projects', admin), params: { owned: true }
+
+            expect(response).to have_gitlab_http_status(:ok)
+            expect(json_response).to be_empty
+          end
+        end
       end
 
       context 'and with starred=true' do