From bcb394e209f74150f27ee9bf07410c5c1941b960 Mon Sep 17 00:00:00 2001 From: rliu-int Date: Wed, 13 Sep 2023 17:13:46 -0400 Subject: [PATCH 1/2] Default prevent_visibility_restriction on and update docs Changelog: changed --- .../_visibility_and_access.html.haml | 2 ++ .../development/prevent_visibility_restriction.yml | 2 +- .../settings/visibility_and_access_controls.md | 13 ++++++++++--- doc/api/settings.md | 6 +++--- locale/gitlab.pot | 3 +++ 5 files changed, 19 insertions(+), 7 deletions(-) diff --git a/app/views/admin/application_settings/_visibility_and_access.html.haml b/app/views/admin/application_settings/_visibility_and_access.html.haml index 7142128d2cd6c4..3583ddad2bac9d 100644 --- a/app/views/admin/application_settings/_visibility_and_access.html.haml +++ b/app/views/admin/application_settings/_visibility_and_access.html.haml @@ -19,6 +19,8 @@ = s_('AdminSettings|Restricted visibility levels') %small.form-text.text-gl-muted = s_('AdminSettings|Prevent non-administrators from using the selected visibility levels for groups, projects and snippets.') + = s_('AdminSettings|The selected level must be different from the selected default project, group visibility.') + = link_to _('Learn more.'), help_page_path('administration/settings/visibility_and_access_controls', anchor: 'restrict-visibility-levels'), target: '_blank', rel: 'noopener noreferrer' = hidden_field_tag 'application_setting[restricted_visibility_levels][]' .gl-form-checkbox-group - restricted_level_checkboxes(f).each do |checkbox| diff --git a/config/feature_flags/development/prevent_visibility_restriction.yml b/config/feature_flags/development/prevent_visibility_restriction.yml index 9f5b82b6f6954b..09b082952c3f5e 100644 --- a/config/feature_flags/development/prevent_visibility_restriction.yml +++ b/config/feature_flags/development/prevent_visibility_restriction.yml @@ -5,4 +5,4 @@ rollout_issue_url: milestone: '16.3' type: development group: group::acquisition -default_enabled: false +default_enabled: true diff --git a/doc/administration/settings/visibility_and_access_controls.md b/doc/administration/settings/visibility_and_access_controls.md index fb15203e393ee5..67f2d7c75f358e 100644 --- a/doc/administration/settings/visibility_and_access_controls.md +++ b/doc/administration/settings/visibility_and_access_controls.md @@ -132,6 +132,9 @@ To set the default [visibility levels for new projects](../../user/public_access - **Public** - The project can be accessed without any authentication. 1. Select **Save changes**. +For more details on project visibility, see +[Project visibility](../../user/public_access.md). + ## Configure snippet visibility defaults To set the default visibility levels for new [snippets](../../user/snippets.md): @@ -145,7 +148,7 @@ To set the default visibility levels for new [snippets](../../user/snippets.md): 1. Select **Save changes**. For more details on snippet visibility, read -[Project visibility](../../user/public_access.md). +[Snippet visibility](../../user/snippets.md). ## Configure group visibility defaults @@ -167,6 +170,11 @@ For more details on group visibility, see ## Restrict visibility levels +> - [Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/124649) in GitLab 16.3 to prevent restricting default project, group visibility, [with a flag](../feature_flags.md) named `prevent_visibility_restriction`. Disabled by default. +> - `prevent_visibility_restriction` was [enabled on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/419987) in GitLab 16.3. +> - `prevent_visibility_restriction` was [enabled on self-managed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131203) in GitLab 16.4. +> - `prevent_visibility_restriction` was [enabled](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131203) by default in GitLab 16.4. + When restricting visibility levels, consider how these restrictions interact with permissions for subgroups and projects that inherit their visibility from the item you're changing. @@ -191,8 +199,7 @@ To restrict visibility levels for groups, projects, snippets, and selected pages - Only administrators are able to create private groups, projects, and snippets. 1. Select **Save changes**. -For more details on project visibility, see -[Project visibility](../../user/public_access.md). +Note that the default visibility levels for new projects and groups can not be selected as restricted. ## Configure allowed import sources diff --git a/doc/api/settings.md b/doc/api/settings.md index f654c326eb30a6..c8a69dbdb22d3b 100644 --- a/doc/api/settings.md +++ b/doc/api/settings.md @@ -347,10 +347,10 @@ listed in the descriptions of the relevant settings. | `default_branch_name` | string | no | [Instance-level custom initial branch name](../user/project/repository/branches/default.md#instance-level-custom-initial-branch-name). [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/225258) in GitLab 13.2. | | `default_branch_protection` | integer | no | Determine if developers can push to the default branch. Can take: `0` _(not protected, both users with the Developer role or Maintainer role can push new commits and force push)_, `1` _(partially protected, users with the Developer role or Maintainer role can push new commits, but cannot force push)_ or `2` _(fully protected, users with the Developer or Maintainer role cannot push new commits, but users with the Developer or Maintainer role can; no one can force push)_ as a parameter. Default is `2`. | | `default_ci_config_path` | string | no | Default CI/CD configuration file and path for new projects (`.gitlab-ci.yml` if not set). | -| `default_group_visibility` | string | no | What visibility level new groups receive. Can take `private`, `internal` and `public` as a parameter. Default is `private`. | +| `default_group_visibility` | string | no | What visibility level new groups receive. Can take `private`, `internal` and `public` as a parameter. Default is `private`. [Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131203) in GitLab 16.4: can not be set to any levels in `restricted_visibility_levels`.| | `default_preferred_language` | string | no | Default preferred language for users who are not logged in. | | `default_project_creation` | integer | no | Default project creation protection. Can take: `0` _(No one)_, `1` _(Maintainers)_ or `2` _(Developers + Maintainers)_| -| `default_project_visibility` | string | no | What visibility level new projects receive. Can take `private`, `internal` and `public` as a parameter. Default is `private`. | +| `default_project_visibility` | string | no | What visibility level new projects receive. Can take `private`, `internal` and `public` as a parameter. Default is `private`. [Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131203) in GitLab 16.4: can not be set to any levels in `restricted_visibility_levels`.| | `default_projects_limit` | integer | no | Project limit per user. Default is `100000`. | | `default_snippet_visibility` | string | no | What visibility level new snippets receive. Can take `private`, `internal` and `public` as a parameter. Default is `private`. | | `default_syntax_highlighting_theme` | integer | no | Default syntax highlighting theme for users who are new or not signed in. See [IDs of available themes](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/themes.rb#L16). | @@ -528,7 +528,7 @@ listed in the descriptions of the relevant settings. | `repository_storages` | array of strings | no | (GitLab 13.0 and earlier) List of names of enabled storage paths, taken from `gitlab.yml`. New projects are created in one of these stores, chosen at random. | | `require_admin_approval_after_user_signup` | boolean | no | When enabled, any user that signs up for an account using the registration form is placed under a **Pending approval** state and has to be explicitly [approved](../administration/moderate_users.md) by an administrator. | | `require_two_factor_authentication` | boolean | no | (**If enabled, requires:** `two_factor_grace_period`) Require all users to set up Two-factor authentication. | -| `restricted_visibility_levels` | array of strings | no | Selected levels cannot be used by non-Administrator users for groups, projects or snippets. Can take `private`, `internal` and `public` as a parameter. Default is `null` which means there is no restriction. | +| `restricted_visibility_levels` | array of strings | no | Selected levels cannot be used by non-Administrator users for groups, projects or snippets. Can take `private`, `internal` and `public` as a parameter. Default is `null` which means there is no restriction.[Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131203) in GitLab 16.4: can not select levels that are set as `default_project_visibility` and `default_group_visibility`. | | `rsa_key_restriction` | integer | no | The minimum allowed bit length of an uploaded RSA key. Default is `0` (no restriction). `-1` disables RSA keys. | | `session_expire_delay` | integer | no | Session duration in minutes. GitLab restart is required to apply changes. | | `security_policy_global_group_approvers_enabled` | boolean | no | Whether to look up scan result policy approval groups globally or within project hierarchies. | diff --git a/locale/gitlab.pot b/locale/gitlab.pot index 0f20955e733ece..d462876d0bf6c4 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -3711,6 +3711,9 @@ msgstr "" msgid "AdminSettings|The maximum number of included files per pipeline." msgstr "" +msgid "AdminSettings|The selected level must be different from the selected default project, group visibility." +msgstr "" + msgid "AdminSettings|The template for the required pipeline configuration can be one of the GitLab-provided templates, or a custom template added to an instance template repository. %{link_start}How do I create an instance template repository?%{link_end}" msgstr "" -- GitLab From 4c572dd5f25a3ea3b7fb8b06f73255bb2335df1d Mon Sep 17 00:00:00 2001 From: Lorena Ciutacu Date: Thu, 14 Sep 2023 17:23:00 +0000 Subject: [PATCH 2/2] Apply reviewer suggestions --- .../_visibility_and_access.html.haml | 2 +- .../settings/visibility_and_access_controls.md | 9 ++++----- doc/api/settings.md | 6 +++--- locale/gitlab.pot | 2 +- 4 files changed, 9 insertions(+), 10 deletions(-) diff --git a/app/views/admin/application_settings/_visibility_and_access.html.haml b/app/views/admin/application_settings/_visibility_and_access.html.haml index 3583ddad2bac9d..6f177abc82e79a 100644 --- a/app/views/admin/application_settings/_visibility_and_access.html.haml +++ b/app/views/admin/application_settings/_visibility_and_access.html.haml @@ -19,7 +19,7 @@ = s_('AdminSettings|Restricted visibility levels') %small.form-text.text-gl-muted = s_('AdminSettings|Prevent non-administrators from using the selected visibility levels for groups, projects and snippets.') - = s_('AdminSettings|The selected level must be different from the selected default project, group visibility.') + = s_('AdminSettings|The selected level must be different from the selected default group and project visibility.') = link_to _('Learn more.'), help_page_path('administration/settings/visibility_and_access_controls', anchor: 'restrict-visibility-levels'), target: '_blank', rel: 'noopener noreferrer' = hidden_field_tag 'application_setting[restricted_visibility_levels][]' .gl-form-checkbox-group diff --git a/doc/administration/settings/visibility_and_access_controls.md b/doc/administration/settings/visibility_and_access_controls.md index 67f2d7c75f358e..37e01460cc417e 100644 --- a/doc/administration/settings/visibility_and_access_controls.md +++ b/doc/administration/settings/visibility_and_access_controls.md @@ -170,10 +170,8 @@ For more details on group visibility, see ## Restrict visibility levels -> - [Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/124649) in GitLab 16.3 to prevent restricting default project, group visibility, [with a flag](../feature_flags.md) named `prevent_visibility_restriction`. Disabled by default. -> - `prevent_visibility_restriction` was [enabled on GitLab.com](https://gitlab.com/gitlab-org/gitlab/-/issues/419987) in GitLab 16.3. -> - `prevent_visibility_restriction` was [enabled on self-managed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131203) in GitLab 16.4. -> - `prevent_visibility_restriction` was [enabled](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131203) by default in GitLab 16.4. +> - [Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/124649) in GitLab 16.3 to prevent restricting default project and group visibility, [with a flag](../feature_flags.md) named `prevent_visibility_restriction`. Disabled by default. +> - `prevent_visibility_restriction` [enabled](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131203) by default in GitLab 16.4. When restricting visibility levels, consider how these restrictions interact with permissions for subgroups and projects that inherit their visibility from @@ -199,7 +197,8 @@ To restrict visibility levels for groups, projects, snippets, and selected pages - Only administrators are able to create private groups, projects, and snippets. 1. Select **Save changes**. -Note that the default visibility levels for new projects and groups can not be selected as restricted. +NOTE: +You cannot select the restricted default visibility level for new projects and groups. ## Configure allowed import sources diff --git a/doc/api/settings.md b/doc/api/settings.md index c8a69dbdb22d3b..9975037036f9c8 100644 --- a/doc/api/settings.md +++ b/doc/api/settings.md @@ -347,10 +347,10 @@ listed in the descriptions of the relevant settings. | `default_branch_name` | string | no | [Instance-level custom initial branch name](../user/project/repository/branches/default.md#instance-level-custom-initial-branch-name). [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/225258) in GitLab 13.2. | | `default_branch_protection` | integer | no | Determine if developers can push to the default branch. Can take: `0` _(not protected, both users with the Developer role or Maintainer role can push new commits and force push)_, `1` _(partially protected, users with the Developer role or Maintainer role can push new commits, but cannot force push)_ or `2` _(fully protected, users with the Developer or Maintainer role cannot push new commits, but users with the Developer or Maintainer role can; no one can force push)_ as a parameter. Default is `2`. | | `default_ci_config_path` | string | no | Default CI/CD configuration file and path for new projects (`.gitlab-ci.yml` if not set). | -| `default_group_visibility` | string | no | What visibility level new groups receive. Can take `private`, `internal` and `public` as a parameter. Default is `private`. [Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131203) in GitLab 16.4: can not be set to any levels in `restricted_visibility_levels`.| +| `default_group_visibility` | string | no | What visibility level new groups receive. Can take `private`, `internal` and `public` as a parameter. Default is `private`. [Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131203) in GitLab 16.4: cannot be set to any levels in `restricted_visibility_levels`.| | `default_preferred_language` | string | no | Default preferred language for users who are not logged in. | | `default_project_creation` | integer | no | Default project creation protection. Can take: `0` _(No one)_, `1` _(Maintainers)_ or `2` _(Developers + Maintainers)_| -| `default_project_visibility` | string | no | What visibility level new projects receive. Can take `private`, `internal` and `public` as a parameter. Default is `private`. [Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131203) in GitLab 16.4: can not be set to any levels in `restricted_visibility_levels`.| +| `default_project_visibility` | string | no | What visibility level new projects receive. Can take `private`, `internal` and `public` as a parameter. Default is `private`. [Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131203) in GitLab 16.4: cannot be set to any levels in `restricted_visibility_levels`.| | `default_projects_limit` | integer | no | Project limit per user. Default is `100000`. | | `default_snippet_visibility` | string | no | What visibility level new snippets receive. Can take `private`, `internal` and `public` as a parameter. Default is `private`. | | `default_syntax_highlighting_theme` | integer | no | Default syntax highlighting theme for users who are new or not signed in. See [IDs of available themes](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/themes.rb#L16). | @@ -528,7 +528,7 @@ listed in the descriptions of the relevant settings. | `repository_storages` | array of strings | no | (GitLab 13.0 and earlier) List of names of enabled storage paths, taken from `gitlab.yml`. New projects are created in one of these stores, chosen at random. | | `require_admin_approval_after_user_signup` | boolean | no | When enabled, any user that signs up for an account using the registration form is placed under a **Pending approval** state and has to be explicitly [approved](../administration/moderate_users.md) by an administrator. | | `require_two_factor_authentication` | boolean | no | (**If enabled, requires:** `two_factor_grace_period`) Require all users to set up Two-factor authentication. | -| `restricted_visibility_levels` | array of strings | no | Selected levels cannot be used by non-Administrator users for groups, projects or snippets. Can take `private`, `internal` and `public` as a parameter. Default is `null` which means there is no restriction.[Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131203) in GitLab 16.4: can not select levels that are set as `default_project_visibility` and `default_group_visibility`. | +| `restricted_visibility_levels` | array of strings | no | Selected levels cannot be used by non-Administrator users for groups, projects or snippets. Can take `private`, `internal` and `public` as a parameter. Default is `null` which means there is no restriction.[Changed](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/131203) in GitLab 16.4: cannot select levels that are set as `default_project_visibility` and `default_group_visibility`. | | `rsa_key_restriction` | integer | no | The minimum allowed bit length of an uploaded RSA key. Default is `0` (no restriction). `-1` disables RSA keys. | | `session_expire_delay` | integer | no | Session duration in minutes. GitLab restart is required to apply changes. | | `security_policy_global_group_approvers_enabled` | boolean | no | Whether to look up scan result policy approval groups globally or within project hierarchies. | diff --git a/locale/gitlab.pot b/locale/gitlab.pot index d462876d0bf6c4..8b4f229ca532e7 100644 --- a/locale/gitlab.pot +++ b/locale/gitlab.pot @@ -3711,7 +3711,7 @@ msgstr "" msgid "AdminSettings|The maximum number of included files per pipeline." msgstr "" -msgid "AdminSettings|The selected level must be different from the selected default project, group visibility." +msgid "AdminSettings|The selected level must be different from the selected default group and project visibility." msgstr "" msgid "AdminSettings|The template for the required pipeline configuration can be one of the GitLab-provided templates, or a custom template added to an instance template repository. %{link_start}How do I create an instance template repository?%{link_end}" -- GitLab