Merge branch '415524-adjust-admin-group-visibility-settings-on-saas' into 'master'

Validation to prevent default project, group visibility being restricted See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/124649 Merged-by: Thong Kuah <tkuah@gitlab.com> Approved-by: Thong Kuah <tkuah@gitlab.com> Reviewed-by: Doug Stull <dstull@gitlab.com> Co-authored-by: rliu-int <rliu-int@gitlab.com>

Merge branch '415524-adjust-admin-group-visibility-settings-on-saas' into 'master'
2d3cdde2 · Thong Kuah · f3609f7f · ac7564c3 · 2d3cdde2 · 2d3cdde2
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -499,6 +499,10 @@ def self.kroki_formats_attributes
    end
  end
+  validates :default_project_visibility, :default_group_visibility,
+    exclusion: { in: :restricted_visibility_levels, message: "cannot be set to a restricted visibility level" },
+    if: :should_prevent_visibility_restriction?
  validates_each :import_sources do |record, attr, value|
    value&.each do |source|
      unless Gitlab::ImportSources.options.value?(source)
@@ -952,6 +956,13 @@ def validate_url(parsed_url, name, error_message)
  def reset_deletion_warning_redis_key
    Gitlab::InactiveProjectsDeletionWarningTracker.reset_all
  end
+  def should_prevent_visibility_restriction?
+    Feature.enabled?(:prevent_visibility_restriction) &&
+      (default_project_visibility_changed? ||
+        default_group_visibility_changed? ||
+        restricted_visibility_levels_changed?)
+  end
 end
 ApplicationSetting.prepend(ApplicationSettingMaskedAttrs)

--- a/config/feature_flags/development/prevent_visibility_restriction.yml
+++ b/config/feature_flags/development/prevent_visibility_restriction.yml
+---
+name: prevent_visibility_restriction
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/124649
+rollout_issue_url:
+milestone: '16.3'
+type: development
+group: group::acquisition
+default_enabled: false
--- a/spec/features/projects/new_project_spec.rb
+++ b/spec/features/projects/new_project_spec.rb
@@ -46,7 +46,8 @@
    end
    it 'shows a message if multiple levels are restricted' do
-      Gitlab::CurrentSettings.update!(
+      stub_application_setting(default_project_visibility: Gitlab::VisibilityLevel::PUBLIC)
+      stub_application_setting(
        restricted_visibility_levels: [Gitlab::VisibilityLevel::PRIVATE, Gitlab::VisibilityLevel::INTERNAL]
      )
@@ -56,15 +57,21 @@
      expect(page).to have_content 'Other visibility settings have been disabled by the administrator.'
    end
-    it 'shows a message if all levels are restricted' do
+    context 'with prevent_visibility_restriction feature flag off' do
-      Gitlab::CurrentSettings.update!(
+      before do
-        restricted_visibility_levels: Gitlab::VisibilityLevel.values
+        stub_feature_flags(prevent_visibility_restriction: false)
-      )
+      end
-      visit new_project_path
+      it 'shows a message if all levels are restricted' do
-      click_link 'Create blank project'
+        Gitlab::CurrentSettings.update!(
+          restricted_visibility_levels: Gitlab::VisibilityLevel.values
+        )
-      expect(page).to have_content 'Visibility settings have been disabled by the administrator.'
+        visit new_project_path
+        click_link 'Create blank project'
+        expect(page).to have_content 'Visibility settings have been disabled by the administrator.'
+      end
    end
  end

--- a/spec/models/application_setting_spec.rb
+++ b/spec/models/application_setting_spec.rb
@@ -1272,6 +1272,37 @@ def expect_invalid
        it { is_expected.to allow_value({ name: value }).for(:default_branch_protection_defaults) }
      end
    end
+    context 'default_project_visibility, default_group_visibility and restricted_visibility_levels validations' do
+      before do
+        subject.restricted_visibility_levels = [10]
+      end
+      it { is_expected.not_to allow_value(10).for(:default_group_visibility) }
+      it { is_expected.not_to allow_value(10).for(:default_project_visibility) }
+      it { is_expected.to allow_value(20).for(:default_group_visibility) }
+      it { is_expected.to allow_value(20).for(:default_project_visibility) }
+      it 'sets error messages when default visibility settings are not valid' do
+        subject.default_group_visibility = 10
+        subject.default_project_visibility = 10
+        expect(subject).not_to be_valid
+        expect(subject.errors.messages[:default_group_visibility].first).to eq("cannot be set to a restricted visibility level")
+        expect(subject.errors.messages[:default_project_visibility].first).to eq("cannot be set to a restricted visibility level")
+      end
+      context 'when prevent_visibility_restriction FF is disabled' do
+        before do
+          stub_feature_flags(prevent_visibility_restriction: false)
+        end
+        it { is_expected.to allow_value(10).for(:default_group_visibility) }
+        it { is_expected.to allow_value(10).for(:default_project_visibility) }
+        it { is_expected.to allow_value(20).for(:default_group_visibility) }
+        it { is_expected.to allow_value(20).for(:default_project_visibility) }
+      end
+    end
  end
  context 'restrict creating duplicates' do