Ayush Billore (7287cec6) at 17 Mar 13:07

Ayush Billore (46af61ea) at 17 Mar 13:07

Ayush Billore (23342201) at 17 Mar 12:39

@mmacrae-bovell Could you please do backend review here?

@mmacrae-bovell Could you please do backend review here?

Done!

What does this MR do and why?

This change decouples the archived state from deletion scheduling as part of moving to a state machine model where projects can be in one state (archived OR deletion_scheduled) rather than both.

References

https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/group_and_project_operations_and_state_management/

How to set up and validate locally

1. Schedule a project for deletion by going to Settings -> General -> Advanced and clicking Delete.
2. Check the archived state of the project in the Rails console: project.archived, it should be false.

MR acceptance checklist

Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Related to #588699

Closing as this is out-of-scope based on the sheet.

Closing as this is out-of-scope based on the sheet.

Relates to #590667

Changes

This MR implements granular personal access token (PAT) decorators for the Organizations API endpoint.

Files Created

1. Permission Configuration Files:

   • config/authz/permissions/organization/_metadata.yml - Feature category metadata
   • config/authz/permissions/organization/create.yml - Permission definition for create_organization

2. Assignable Permission Group Files:

   • config/authz/permission_groups/assignable_permissions/organizations/organization/_metadata.yml - Resource metadata
   • config/authz/permission_groups/assignable_permissions/organizations/organization/create.yml - Assignable permission group with instance boundary

Files Modified

3. API Endpoint (lib/api/organizations.rb):

   • Added route_setting :authorization, permissions: :create_organization, boundary_type: :instance decorator before the POST endpoint
   • Enables granular token permission checking for the organization creation endpoint

4. Test Coverage (spec/requests/api/organizations_spec.rb):

   • Added it_behaves_like 'authorizing granular token permissions', :create_organization test block
   • Configured with boundary_object: :instance and appropriate request definition
   • Test properly placed within the "when user is authorized" context

Implementation Details

• Permission Name: create_organization (following GitLab's singular form convention)
• Boundary Type: instance (organization creation is an instance-level operation)
• Feature Category: organization (matching the API file's feature_category)

The implementation follows GitLab's authorization patterns and conventions, ensuring that the POST /organizations endpoint now properly enforces granular personal access token permissions.

Ayush Billore (368f93a7) at 17 Mar 11:03

Ayush Billore (edd6d317) at 17 Mar 10:43

Ayush Billore (4b23955a) at 17 Mar 10:34

... and 2171 more commits

Done Alex. I was thinking more from the POV of running compile docs but life is much simpler :)

Ayush Billore (cf780e1d) at 17 Mar 09:57

One issue though the docs will be outdated if we dont run compile docs after making this change. Is that a way around that from UI?

Didn’t know about that button until now 😅 I’d already made the commit, but thanks — I’ve used it now! Was this always there even before DAP, DUO?

Ayush Billore (2f69f0d8) at 17 Mar 09:50

On it 👍