Add min_access_level filter to groups API

Signed-off-by: Marko, Peter <peter.marko@siemens.com>

app/finders/groups_finder.rb

@@ -8,6 +8,7 @@
 #     owned: boolean
 #     parent: Group
 #     all_available: boolean (defaults to true)
+#     min_access_level: integer
 #
 # Users with full private access can see all groups. The `owned` and `parent`
 # params can be used to restrict the groups that are returned.
@@ -39,6 +40,7 @@ class GroupsFinder < UnionFinder
 
   def all_groups
     return [owned_groups] if params[:owned]
+    return [groups_with_min_access_level] if min_access_level?
     return [Group.all] if current_user&.full_private_access? && all_available?
 
     groups = []
@@ -56,6 +58,16 @@ class GroupsFinder < UnionFinder
     current_user.groups
   end
 
+  def groups_with_min_access_level
+    groups = current_user
+      .groups
+      .where('members.access_level >= ?', params[:min_access_level])
+
+    Gitlab::GroupHierarchy
+      .new(groups)
+      .base_and_descendants
+  end
+
   def by_parent(groups)
     return groups unless params[:parent]
 
@@ -73,4 +85,8 @@ class GroupsFinder < UnionFinder
   def all_available?
     params.fetch(:all_available, true)
   end
+
+  def min_access_level?
+    current_user && params[:min_access_level].present?
+  end
 end

doc/api/groups.md

@@ -10,13 +10,14 @@ Parameters:
 | Attribute | Type | Required | Description |
 | --------- | ---- | -------- | ----------- |
 | `skip_groups` | array of integers | no | Skip the group IDs passed |
-| `all_available` | boolean | no | Show all the groups you have access to (defaults to `false` for authenticated users, `true` for admin) |
+| `all_available` | boolean | no | Show all the groups you have access to (defaults to `false` for authenticated users, `true` for admin); Attributes `owned` and `min_access_level` have precedence |
 | `search` | string | no | Return the list of authorized groups matching the search criteria |
 | `order_by` | string | no | Order groups by `name`, `path` or `id`. Default is `name` |
 | `sort` | string | no | Order groups in `asc` or `desc` order. Default is `asc` |
 | `statistics` | boolean | no | Include group statistics (admins only) |
 | `with_custom_attributes` | boolean | no | Include [custom attributes](custom_attributes.md) in response (admins only) |
-| `owned` | boolean | no | Limit to groups owned by the current user |
+| `owned` | boolean | no | Limit to groups explicitly owned by the current user |
+| `min_access_level` | integer | no | Limit to groups where current user has at least this [access level](members.md) |
 
 ```
 GET /groups
@@ -94,13 +95,14 @@ Parameters:
 | --------- | ---- | -------- | ----------- |
 | `id` | integer/string | yes | The ID or [URL-encoded path of the group](README.md#namespaced-path-encoding) of the parent group |
 | `skip_groups` | array of integers | no | Skip the group IDs passed |
-| `all_available` | boolean | no | Show all the groups you have access to (defaults to `false` for authenticated users, `true` for admin) |
+| `all_available` | boolean | no | Show all the groups you have access to (defaults to `false` for authenticated users, `true` for admin); Attributes `owned` and `min_access_level` have precedence |
 | `search` | string | no | Return the list of authorized groups matching the search criteria |
 | `order_by` | string | no | Order groups by `name`, `path` or `id`. Default is `name` |
 | `sort` | string | no | Order groups in `asc` or `desc` order. Default is `asc` |
 | `statistics` | boolean | no | Include group statistics (admins only) |
 | `with_custom_attributes` | boolean | no | Include [custom attributes](custom_attributes.md) in response (admins only) |
-| `owned` | boolean | no | Limit to groups owned by the current user |
+| `owned` | boolean | no | Limit to groups explicitly owned by the current user |
+| `min_access_level` | integer | no | Limit to groups where current user has at least this [access level](members.md) |
 
 ```
 GET /groups/:id/subgroups

lib/api/groups.rb

@@ -34,11 +34,12 @@ module API
         optional :owned, type: Boolean, default: false, desc: 'Limit by owned by authenticated user'
         optional :order_by, type: String, values: %w[name path id], default: 'name', desc: 'Order by name, path or id'
         optional :sort, type: String, values: %w[asc desc], default: 'asc', desc: 'Sort by asc (ascending) or desc (descending)'
+        optional :min_access_level, type: Integer, values: Gitlab::Access.all_values, desc: 'Minimum access level of authenticated user'
         use :pagination
       end
 
       def find_groups(params, parent_id = nil)
-        find_params = params.slice(:all_available, :custom_attributes, :owned)
+        find_params = params.slice(:all_available, :custom_attributes, :owned, :min_access_level)
         find_params[:parent] = find_group!(parent_id) if parent_id
         find_params[:all_available] =
           find_params.fetch(:all_available, current_user&.full_private_access?)

spec/requests/api/groups_spec.rb

@@ -226,6 +226,25 @@ describe API::Groups do
         expect(json_response.first['name']).to eq(group2.name)
       end
     end
+
+    context 'when using min_access_level in the request' do
+      let!(:group3) { create(:group, :private) }
+      let(:response_groups) { json_response.map { |group| group['id'] } }
+
+      before do
+        group1.add_developer(user2)
+        group3.add_master(user2)
+      end
+
+      it 'returns an array of groups the user has at least master access' do
+        get api('/groups', user2), min_access_level: 40
+
+        expect(response).to have_gitlab_http_status(200)
+        expect(response).to include_pagination_headers
+        expect(json_response).to be_an Array
+        expect(response_groups).to eq([group2.id, group3.id])
+      end
+    end
   end
 
   describe "GET /groups/:id" do