diff --git a/app/views/admin/application_settings/_visibility_and_access.html.haml b/app/views/admin/application_settings/_visibility_and_access.html.haml index 7142128d2cd6c4d468430b5b662f9f692e2205e3..6f177abc82e79a14a10f5e7a3bec686010801fde 100644 --- a/app/views/admin/application_settings/_visibility_and_access.html.haml +++ b/app/views/admin/application_settings/_visibility_and_access.html.haml @@ -19,6 +19,8 @@ = s_('AdminSettings|Restricted visibility levels') %small.form-text.text-gl-muted = s_('AdminSettings|Prevent non-administrators from using the selected visibility levels for groups, projects and snippets.') + = s_('AdminSettings|The selected level must be different from the selected default group and project visibility.') + = link_to _('Learn more.'), help_page_path('administration/settings/visibility_and_access_controls', anchor: 'restrict-visibility-levels'), target: '_blank', rel: 'noopener noreferrer' = hidden_field_tag 'application_setting[restricted_visibility_levels][]' .gl-form-checkbox-group - restricted_level_checkboxes(f).each do |checkbox| diff --git a/config/feature_flags/development/prevent_visibility_restriction.yml b/config/feature_flags/development/prevent_visibility_restriction.yml index 9f5b82b6f6954b70a04547e2620dad2b893e63f5..09b082952c3f5e210940ce8e222189241dcb6a53 100644 --- a/config/feature_flags/development/prevent_visibility_restriction.yml +++ b/config/feature_flags/development/prevent_visibility_restriction.yml @@ -5,4 +5,4 @@ rollout_issue_url: milestone: '16.3' type: development group: group::acquisition -default_enabled: false +default_enabled: true diff --git a/doc/administration/settings/visibility_and_access_controls.md b/doc/administration/settings/visibility_and_access_controls.md index fb15203e393ee5a55b19def42938d556f5552c0d..37e01460cc417ee8e29eb7f79f638aa82e676eb0 100644 --- a/doc/administration/settings/visibility_and_access_controls.md +++ b/doc/administration/settings/visibility_and_access_controls.md @@ -132,6 +132,9 @@ To set the default [visibility levels for new projects](../../user/public_access - **Public** - The project can be accessed without any authentication. 1. Select **Save changes**. +For more details on project visibility, see +[Project visibility](../../user/public_access.md). + ## Configure snippet visibility defaults To set the default visibility levels for new [snippets](../../user/snippets.md): @@ -145,7 +148,7 @@ To set the default visibility levels for new [snippets](../../user/snippets.md): 1. Select **Save changes**. For more details on snippet visibility, read -[Project visibility](../../user/public_access.md). +[Snippet visibility](../../user/snippets.md). ## Configure group visibility defaults @@ -167,6 +170,9 @@ For more details on group visibility, see ## Restrict visibility levels +> - [Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/124649) in GitLab 16.3 to prevent restricting default project and group visibility, [with a flag](../feature_flags.md) named `prevent_visibility_restriction`. Disabled by default. +> - `prevent_visibility_restriction` [enabled](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131203) by default in GitLab 16.4. + When restricting visibility levels, consider how these restrictions interact with permissions for subgroups and projects that inherit their visibility from the item you're changing. @@ -191,8 +197,8 @@ To restrict visibility levels for groups, projects, snippets, and selected pages - Only administrators are able to create private groups, projects, and snippets. 1. Select **Save changes**. -For more details on project visibility, see -[Project visibility](../../user/public_access.md). +NOTE: +You cannot select the restricted default visibility level for new projects and groups. ## Configure allowed import sources diff --git a/doc/api/settings.md b/doc/api/settings.md index f654c326eb30a6c7d03d7cbd15e0575098476168..9975037036f9c8ba61cd89d2d8a7d3fa630378fa 100644 --- a/doc/api/settings.md +++ b/doc/api/settings.md @@ -347,10 +347,10 @@ listed in the descriptions of the relevant settings. | `default_branch_name` | string | no | [Instance-level custom initial branch name](../user/project/repository/branches/default.md#instance-level-custom-initial-branch-name). [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/225258) in GitLab 13.2. | | `default_branch_protection` | integer | no | Determine if developers can push to the default branch. Can take: `0` _(not protected, both users with the Developer role or Maintainer role can push new commits and force push)_, `1` _(partially protected, users with the Developer role or Maintainer role can push new commits, but cannot force push)_ or `2` _(fully protected, users with the Developer or Maintainer role cannot push new commits, but users with the Developer or Maintainer role can; no one can force push)_ as a parameter. Default is `2`. | | `default_ci_config_path` | string | no | Default CI/CD configuration file and path for new projects (`.gitlab-ci.yml` if not set). | -| `default_group_visibility` | string | no | What visibility level new groups receive. Can take `private`, `internal` and `public` as a parameter. Default is `private`. | +| `default_group_visibility` | string | no | What visibility level new groups receive. Can take `private`, `internal` and `public` as a parameter. Default is `private`. [Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131203) in GitLab 16.4: cannot be set to any levels in `restricted_visibility_levels`.| | `default_preferred_language` | string | no | Default preferred language for users who are not logged in. | | `default_project_creation` | integer | no | Default project creation protection. Can take: `0` _(No one)_, `1` _(Maintainers)_ or `2` _(Developers + Maintainers)_| -| `default_project_visibility` | string | no | What visibility level new projects receive. Can take `private`, `internal` and `public` as a parameter. Default is `private`. | +| `default_project_visibility` | string | no | What visibility level new projects receive. Can take `private`, `internal` and `public` as a parameter. Default is `private`. [Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131203) in GitLab 16.4: cannot be set to any levels in `restricted_visibility_levels`.| | `default_projects_limit` | integer | no | Project limit per user. Default is `100000`. | | `default_snippet_visibility` | string | no | What visibility level new snippets receive. Can take `private`, `internal` and `public` as a parameter. Default is `private`. | | `default_syntax_highlighting_theme` | integer | no | Default syntax highlighting theme for users who are new or not signed in. See [IDs of available themes](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/themes.rb#L16). | @@ -528,7 +528,7 @@ listed in the descriptions of the relevant settings. | `repository_storages` | array of strings | no | (GitLab 13.0 and earlier) List of names of enabled storage paths, taken from `gitlab.yml`. New projects are created in one of these stores, chosen at random. | | `require_admin_approval_after_user_signup` | boolean | no | When enabled, any user that signs up for an account using the registration form is placed under a **Pending approval** state and has to be explicitly [approved](../administration/moderate_users.md) by an administrator. | | `require_two_factor_authentication` | boolean | no | (**If enabled, requires:** `two_factor_grace_period`) Require all users to set up Two-factor authentication. | -| `restricted_visibility_levels` | array of strings | no | Selected levels cannot be used by non-Administrator users for groups, projects or snippets. Can take `private`, `internal` and `public` as a parameter. Default is `null` which means there is no restriction. | +| `restricted_visibility_levels` | array of strings | no | Selected levels cannot be used by non-Administrator users for groups, projects or snippets. Can take `private`, `internal` and `public` as a parameter. Default is `null` which means there is no restriction.[Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131203) in GitLab 16.4: cannot select levels that are set as `default_project_visibility` and `default_group_visibility`. | | `rsa_key_restriction` | integer | no | The minimum allowed bit length of an uploaded RSA key. Default is `0` (no restriction). `-1` disables RSA keys. | | `session_expire_delay` | integer | no | Session duration in minutes. GitLab restart is required to apply changes. | | `security_policy_global_group_approvers_enabled` | boolean | no | Whether to look up scan result policy approval groups globally or within project hierarchies. | diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 0f20955e733ece974c7b931b383b838bc192df63..8b4f229ca532e775548a61b4c5bf4ea742f644ea 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -3711,6 +3711,9 @@ msgstr "" msgid "AdminSettings|The maximum number of included files per pipeline." msgstr "" +msgid "AdminSettings|The selected level must be different from the selected default group and project visibility." +msgstr "" + msgid "AdminSettings|The template for the required pipeline configuration can be one of the GitLab-provided templates, or a custom template added to an instance template repository. %{link_start}How do I create an instance template repository?%{link_end}" msgstr ""