From 5bbf9acc6fd99ecc39a328b58930c2fd526c1b2c Mon Sep 17 00:00:00 2001 From: Eugie Limpin Date: Tue, 15 Jul 2025 16:40:01 +0800 Subject: [PATCH 1/3] Add read_admin_groups custom admin role permission --- app/policies/global_policy.rb | 1 + .../json_schemas/admin_role_permissions.json | 3 +++ .../json_schemas/member_role_permissions.json | 3 +++ doc/api/graphql/reference/_index.md | 2 ++ doc/api/openapi/openapi_v2.yaml | 2 ++ doc/user/custom_roles/abilities.md | 1 + ee/app/policies/ee/global_policy.rb | 6 ++++++ .../custom_abilities/admin/read_admin_groups.yml | 8 ++++++++ ee/spec/policies/global_policy_spec.rb | 14 ++++++++------ spec/policies/global_policy_spec.rb | 1 + 10 files changed, 35 insertions(+), 6 deletions(-) create mode 100644 ee/config/custom_abilities/admin/read_admin_groups.yml diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index 616f37b34cdb68..c50dc07c02ade5 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -161,6 +161,7 @@ class GlobalPolicy < BasePolicy enable :read_admin_metrics_dashboard enable :read_admin_system_information enable :read_admin_users + enable :read_admin_groups enable :read_application_statistics end diff --git a/app/validators/json_schemas/admin_role_permissions.json b/app/validators/json_schemas/admin_role_permissions.json index 269169e049fd90..c7876bfacb1b28 100644 --- a/app/validators/json_schemas/admin_role_permissions.json +++ b/app/validators/json_schemas/admin_role_permissions.json @@ -15,6 +15,9 @@ }, "read_admin_users": { "type": "boolean" + }, + "read_admin_groups": { + "type": "boolean" } } } diff --git a/app/validators/json_schemas/member_role_permissions.json b/app/validators/json_schemas/member_role_permissions.json index f4fccfed19ed31..d0bda29cacbc15 100644 --- a/app/validators/json_schemas/member_role_permissions.json +++ b/app/validators/json_schemas/member_role_permissions.json @@ -79,6 +79,9 @@ "read_admin_users": { "type": "boolean" }, + "read_admin_groups": { + "type": "boolean" + }, "read_code": { "type": "boolean" }, diff --git a/doc/api/graphql/reference/_index.md b/doc/api/graphql/reference/_index.md index 462f91fff6ed29..bfddd96fcc30a4 100644 --- a/doc/api/graphql/reference/_index.md +++ b/doc/api/graphql/reference/_index.md @@ -46724,6 +46724,7 @@ Member role admin permission. | Value | Description | | ----- | ----------- | | `READ_ADMIN_CICD` {{< icon name="warning-solid" >}} | **Introduced** in GitLab 17.9. **Status**: Experiment. Read CI/CD details for runners and jobs in the Admin Area. | +| `READ_ADMIN_GROUPS` {{< icon name="warning-solid" >}} | **Introduced** in GitLab 18.3. **Status**: Experiment. Read group details in the Admin Area. | | `READ_ADMIN_MONITORING` {{< icon name="warning-solid" >}} | **Introduced** in GitLab 17.9. **Status**: Experiment. Read system information such as background migrations, health checks, audit logs, and Gitaly in the Admin Area. | | `READ_ADMIN_SUBSCRIPTION` {{< icon name="warning-solid" >}} | **Introduced** in GitLab 17.9. **Status**: Experiment. Read subscription details in the Admin area. | | `READ_ADMIN_USERS` {{< icon name="warning-solid" >}} | **Introduced** in GitLab 17.9. **Status**: Experiment. Read the user list and user details in the Admin area. | @@ -46756,6 +46757,7 @@ Member role permission. | `MANAGE_PROTECTED_TAGS` | Create, read, update, and delete protected tags. | | `MANAGE_SECURITY_POLICY_LINK` | Allows linking security policy projects. | | `READ_ADMIN_CICD` | Read CI/CD details for runners and jobs in the Admin Area. | +| `READ_ADMIN_GROUPS` | Read group details in the Admin Area. | | `READ_ADMIN_MONITORING` | Read system information such as background migrations, health checks, audit logs, and Gitaly in the Admin Area. | | `READ_ADMIN_SUBSCRIPTION` | Read subscription details in the Admin area. | | `READ_ADMIN_USERS` | Read the user list and user details in the Admin area. | diff --git a/doc/api/openapi/openapi_v2.yaml b/doc/api/openapi/openapi_v2.yaml index 3f5632c395230a..1743cb94cd729d 100644 --- a/doc/api/openapi/openapi_v2.yaml +++ b/doc/api/openapi/openapi_v2.yaml @@ -48991,6 +48991,8 @@ definitions: type: boolean read_dependency: type: boolean + read_admin_groups: + type: boolean read_code: type: boolean read_runners: diff --git a/doc/user/custom_roles/abilities.md b/doc/user/custom_roles/abilities.md index b7cf58d4f106ea..13dd5422354518 100644 --- a/doc/user/custom_roles/abilities.md +++ b/doc/user/custom_roles/abilities.md @@ -35,6 +35,7 @@ Any dependencies are noted in the `Description` column for each permission. | Permission | Description | API Attribute | Scope | Introduced | |:-----------|:------------|:--------------|:------|:-----------| | View CI/CD | Read CI/CD details for runners and jobs in the Admin Area. | [`read_admin_cicd`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/177233) | Instance | GitLab [17.9](https://gitlab.com/gitlab-org/gitlab/-/issues/507960) | +| View Groups | Read group details in the Admin Area. | [`read_admin_groups`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197777) | Instance | GitLab [18.3](https://gitlab.com/gitlab-org/gitlab/-/issues/534449) | | View subscription details | Read subscription details in the Admin area. | [`read_admin_subscription`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178230) | Instance | GitLab [17.9](https://gitlab.com/gitlab-org/gitlab/-/issues/507961) | | View system monitoring | Read system information such as background migrations, health checks, audit logs, and Gitaly in the Admin Area. | [`read_admin_monitoring`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179439) | Instance | GitLab [17.9](https://gitlab.com/gitlab-org/gitlab/-/issues/507959) | | View users | Read the user list and user details in the Admin area. | [`read_admin_users`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/177514) | Instance | GitLab [17.9](https://gitlab.com/gitlab-org/gitlab/-/issues/508782) | diff --git a/ee/app/policies/ee/global_policy.rb b/ee/app/policies/ee/global_policy.rb index a0215b40927fd8..dc1d084bef6d19 100644 --- a/ee/app/policies/ee/global_policy.rb +++ b/ee/app/policies/ee/global_policy.rb @@ -257,6 +257,12 @@ module GlobalPolicy enable :read_admin_users end + rule { custom_role_enables_read_admin_groups }.policy do + enable :access_admin_area + enable :read_application_statistics + enable :read_admin_groups + end + rule { admin & duo_core_features_available }.policy do enable :manage_duo_core_settings end diff --git a/ee/config/custom_abilities/admin/read_admin_groups.yml b/ee/config/custom_abilities/admin/read_admin_groups.yml new file mode 100644 index 00000000000000..e1a297d3015333 --- /dev/null +++ b/ee/config/custom_abilities/admin/read_admin_groups.yml @@ -0,0 +1,8 @@ +--- +title: View Groups +name: read_admin_groups +description: Read group details in the Admin Area. +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/534449 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197777 +feature_category: admin +milestone: '18.3' diff --git a/ee/spec/policies/global_policy_spec.rb b/ee/spec/policies/global_policy_spec.rb index f84526d68fda8b..0b070b5df34719 100644 --- a/ee/spec/policies/global_policy_spec.rb +++ b/ee/spec/policies/global_policy_spec.rb @@ -911,18 +911,20 @@ end context 'custom permissions', :enable_admin_mode do + let_it_be(:enabled_for_all) { %i[access_admin_area read_application_statistics] } + where(:custom_ability, :enabled_permissions) do - :read_admin_cicd | %i[access_admin_area read_admin_cicd] + :read_admin_cicd | %i[read_admin_cicd] :read_admin_monitoring | %i[ - access_admin_area read_admin_audit_log read_admin_background_migrations read_admin_gitaly_servers read_admin_health_check read_admin_system_information ] - :read_admin_subscription | %i[access_admin_area read_admin_subscription read_billable_member read_licenses] - :read_admin_users | %i[access_admin_area read_admin_users] + :read_admin_subscription | %i[read_admin_subscription read_billable_member read_licenses] + :read_admin_users | %i[read_admin_users] + :read_admin_groups | %i[read_admin_groups] end with_them do @@ -936,7 +938,7 @@ stub_licensed_features(custom_roles: true) end - it { is_expected.to be_allowed(*enabled_permissions) } + it { is_expected.to be_allowed(*(enabled_permissions + enabled_for_all)) } end context 'when custom_roles feature is disabled' do @@ -944,7 +946,7 @@ stub_licensed_features(custom_roles: false) end - it { is_expected.to be_disallowed(*enabled_permissions) } + it { is_expected.to be_disallowed(*(enabled_permissions + enabled_for_all)) } end end end diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb index cbc04ca9a7ab90..48e9b9aee25a5a 100644 --- a/spec/policies/global_policy_spec.rb +++ b/spec/policies/global_policy_spec.rb @@ -754,6 +754,7 @@ :access_admin_area, :read_application_statistics, :read_admin_users, + :read_admin_groups, :read_admin_audit_log, :read_admin_background_jobs, :read_admin_background_migrations, -- GitLab From 3265e3697903f97b504b3ba938987d1c457f278c Mon Sep 17 00:00:00 2001 From: Eugie Limpin Date: Wed, 16 Jul 2025 15:53:01 +0800 Subject: [PATCH 2/3] Add read_admin_projects custom admin role permission --- app/policies/global_policy.rb | 1 + .../json_schemas/admin_role_permissions.json | 3 +++ .../json_schemas/member_role_permissions.json | 3 +++ doc/api/graphql/reference/_index.md | 2 ++ doc/api/openapi/openapi_v2.yaml | 2 ++ doc/user/custom_roles/abilities.md | 1 + ee/app/policies/ee/global_policy.rb | 23 +++++++++++-------- .../admin/read_admin_projects.yml | 8 +++++++ ee/spec/policies/global_policy_spec.rb | 1 + spec/policies/global_policy_spec.rb | 1 + 10 files changed, 36 insertions(+), 9 deletions(-) create mode 100644 ee/config/custom_abilities/admin/read_admin_projects.yml diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index c50dc07c02ade5..0fc37bf123d784 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -162,6 +162,7 @@ class GlobalPolicy < BasePolicy enable :read_admin_system_information enable :read_admin_users enable :read_admin_groups + enable :read_admin_projects enable :read_application_statistics end diff --git a/app/validators/json_schemas/admin_role_permissions.json b/app/validators/json_schemas/admin_role_permissions.json index c7876bfacb1b28..a1fd6f37f76eb0 100644 --- a/app/validators/json_schemas/admin_role_permissions.json +++ b/app/validators/json_schemas/admin_role_permissions.json @@ -18,6 +18,9 @@ }, "read_admin_groups": { "type": "boolean" + }, + "read_admin_projects": { + "type": "boolean" } } } diff --git a/app/validators/json_schemas/member_role_permissions.json b/app/validators/json_schemas/member_role_permissions.json index d0bda29cacbc15..5e58612368b101 100644 --- a/app/validators/json_schemas/member_role_permissions.json +++ b/app/validators/json_schemas/member_role_permissions.json @@ -82,6 +82,9 @@ "read_admin_groups": { "type": "boolean" }, + "read_admin_projects": { + "type": "boolean" + }, "read_code": { "type": "boolean" }, diff --git a/doc/api/graphql/reference/_index.md b/doc/api/graphql/reference/_index.md index bfddd96fcc30a4..4d032b7842a283 100644 --- a/doc/api/graphql/reference/_index.md +++ b/doc/api/graphql/reference/_index.md @@ -46726,6 +46726,7 @@ Member role admin permission. | `READ_ADMIN_CICD` {{< icon name="warning-solid" >}} | **Introduced** in GitLab 17.9. **Status**: Experiment. Read CI/CD details for runners and jobs in the Admin Area. | | `READ_ADMIN_GROUPS` {{< icon name="warning-solid" >}} | **Introduced** in GitLab 18.3. **Status**: Experiment. Read group details in the Admin Area. | | `READ_ADMIN_MONITORING` {{< icon name="warning-solid" >}} | **Introduced** in GitLab 17.9. **Status**: Experiment. Read system information such as background migrations, health checks, audit logs, and Gitaly in the Admin Area. | +| `READ_ADMIN_PROJECTS` {{< icon name="warning-solid" >}} | **Introduced** in GitLab 18.3. **Status**: Experiment. Read project details in the Admin Area. | | `READ_ADMIN_SUBSCRIPTION` {{< icon name="warning-solid" >}} | **Introduced** in GitLab 17.9. **Status**: Experiment. Read subscription details in the Admin area. | | `READ_ADMIN_USERS` {{< icon name="warning-solid" >}} | **Introduced** in GitLab 17.9. **Status**: Experiment. Read the user list and user details in the Admin area. | @@ -46759,6 +46760,7 @@ Member role permission. | `READ_ADMIN_CICD` | Read CI/CD details for runners and jobs in the Admin Area. | | `READ_ADMIN_GROUPS` | Read group details in the Admin Area. | | `READ_ADMIN_MONITORING` | Read system information such as background migrations, health checks, audit logs, and Gitaly in the Admin Area. | +| `READ_ADMIN_PROJECTS` | Read project details in the Admin Area. | | `READ_ADMIN_SUBSCRIPTION` | Read subscription details in the Admin area. | | `READ_ADMIN_USERS` | Read the user list and user details in the Admin area. | | `READ_CODE` | Allows read-only access to the source code in the user interface. Does not allow users to edit or download repository archives, clone or pull repositories, view source code in an IDE, or view merge requests for private projects. You can download individual files because read-only access inherently grants the ability to make a local copy of the file. | diff --git a/doc/api/openapi/openapi_v2.yaml b/doc/api/openapi/openapi_v2.yaml index 1743cb94cd729d..f3541903426058 100644 --- a/doc/api/openapi/openapi_v2.yaml +++ b/doc/api/openapi/openapi_v2.yaml @@ -48993,6 +48993,8 @@ definitions: type: boolean read_admin_groups: type: boolean + read_admin_projects: + type: boolean read_code: type: boolean read_runners: diff --git a/doc/user/custom_roles/abilities.md b/doc/user/custom_roles/abilities.md index 13dd5422354518..b32d7555c4a4aa 100644 --- a/doc/user/custom_roles/abilities.md +++ b/doc/user/custom_roles/abilities.md @@ -36,6 +36,7 @@ Any dependencies are noted in the `Description` column for each permission. |:-----------|:------------|:--------------|:------|:-----------| | View CI/CD | Read CI/CD details for runners and jobs in the Admin Area. | [`read_admin_cicd`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/177233) | Instance | GitLab [17.9](https://gitlab.com/gitlab-org/gitlab/-/issues/507960) | | View Groups | Read group details in the Admin Area. | [`read_admin_groups`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197777) | Instance | GitLab [18.3](https://gitlab.com/gitlab-org/gitlab/-/issues/534449) | +| View Projects | Read project details in the Admin Area. | [`read_admin_projects`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197777) | Instance | GitLab [18.3](https://gitlab.com/gitlab-org/gitlab/-/issues/534449) | | View subscription details | Read subscription details in the Admin area. | [`read_admin_subscription`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/178230) | Instance | GitLab [17.9](https://gitlab.com/gitlab-org/gitlab/-/issues/507961) | | View system monitoring | Read system information such as background migrations, health checks, audit logs, and Gitaly in the Admin Area. | [`read_admin_monitoring`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/179439) | Instance | GitLab [17.9](https://gitlab.com/gitlab-org/gitlab/-/issues/507959) | | View users | Read the user list and user details in the Admin area. | [`read_admin_users`](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/177514) | Instance | GitLab [17.9](https://gitlab.com/gitlab-org/gitlab/-/issues/508782) | diff --git a/ee/app/policies/ee/global_policy.rb b/ee/app/policies/ee/global_policy.rb index dc1d084bef6d19..c91e7695a23d3c 100644 --- a/ee/app/policies/ee/global_policy.rb +++ b/ee/app/policies/ee/global_policy.rb @@ -126,6 +126,12 @@ module GlobalPolicy License.feature_available?(:remote_development) end + condition(:has_admin_custom_role) do + MemberRole.all_customizable_admin_permission_keys.any? do |ability| + custom_role_ability(@user).allowed?(ability) + end + end + MemberRole.all_customizable_admin_permission_keys.each do |ability| desc "Admin custom role that enables #{ability.to_s.tr('_', ' ')}" condition(:"custom_role_enables_#{ability}") do @@ -227,15 +233,16 @@ module GlobalPolicy enable :access_git end - rule { custom_role_enables_read_admin_cicd }.policy do + rule { has_admin_custom_role }.policy do enable :access_admin_area enable :read_application_statistics + end + + rule { custom_role_enables_read_admin_cicd }.policy do enable :read_admin_cicd end rule { custom_role_enables_read_admin_monitoring }.policy do - enable :access_admin_area - enable :read_application_statistics enable :read_admin_audit_log enable :read_admin_background_migrations enable :read_admin_gitaly_servers @@ -244,25 +251,23 @@ module GlobalPolicy end rule { custom_role_enables_read_admin_subscription }.policy do - enable :access_admin_area - enable :read_application_statistics enable :read_admin_subscription enable :read_billable_member enable :read_licenses end rule { custom_role_enables_read_admin_users }.policy do - enable :access_admin_area - enable :read_application_statistics enable :read_admin_users end rule { custom_role_enables_read_admin_groups }.policy do - enable :access_admin_area - enable :read_application_statistics enable :read_admin_groups end + rule { custom_role_enables_read_admin_projects }.policy do + enable :read_admin_projects + end + rule { admin & duo_core_features_available }.policy do enable :manage_duo_core_settings end diff --git a/ee/config/custom_abilities/admin/read_admin_projects.yml b/ee/config/custom_abilities/admin/read_admin_projects.yml new file mode 100644 index 00000000000000..ce3ef39173fc0e --- /dev/null +++ b/ee/config/custom_abilities/admin/read_admin_projects.yml @@ -0,0 +1,8 @@ +--- +title: View Projects +name: read_admin_projects +description: Read project details in the Admin Area. +introduced_by_issue: https://gitlab.com/gitlab-org/gitlab/-/issues/534449 +introduced_by_mr: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197777 +feature_category: admin +milestone: '18.3' diff --git a/ee/spec/policies/global_policy_spec.rb b/ee/spec/policies/global_policy_spec.rb index 0b070b5df34719..fc6fc36a2828af 100644 --- a/ee/spec/policies/global_policy_spec.rb +++ b/ee/spec/policies/global_policy_spec.rb @@ -925,6 +925,7 @@ :read_admin_subscription | %i[read_admin_subscription read_billable_member read_licenses] :read_admin_users | %i[read_admin_users] :read_admin_groups | %i[read_admin_groups] + :read_admin_projects | %i[read_admin_projects] end with_them do diff --git a/spec/policies/global_policy_spec.rb b/spec/policies/global_policy_spec.rb index 48e9b9aee25a5a..42cb96a0491aa3 100644 --- a/spec/policies/global_policy_spec.rb +++ b/spec/policies/global_policy_spec.rb @@ -755,6 +755,7 @@ :read_application_statistics, :read_admin_users, :read_admin_groups, + :read_admin_projects, :read_admin_audit_log, :read_admin_background_jobs, :read_admin_background_migrations, -- GitLab From 1ffe29c4744b037f4ae799838bd5274a068917ec Mon Sep 17 00:00:00 2001 From: Eugie Limpin Date: Wed, 16 Jul 2025 16:10:40 +0800 Subject: [PATCH 3/3] Add scope to condition --- ee/app/policies/ee/global_policy.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ee/app/policies/ee/global_policy.rb b/ee/app/policies/ee/global_policy.rb index c91e7695a23d3c..783e4b2a9d4d20 100644 --- a/ee/app/policies/ee/global_policy.rb +++ b/ee/app/policies/ee/global_policy.rb @@ -126,7 +126,7 @@ module GlobalPolicy License.feature_available?(:remote_development) end - condition(:has_admin_custom_role) do + condition(:has_admin_custom_role, scope: :user) do MemberRole.all_customizable_admin_permission_keys.any? do |ability| custom_role_ability(@user).allowed?(ability) end -- GitLab