Merge branch 'patch-269' into 'master'

Clarify that external users cannot access all internal

See merge request gitlab-org/gitlab!46087

app/assets/javascripts/groups/constants.js

@@ -31,14 +31,16 @@ export const GROUP_VISIBILITY_TYPE = {
     'Public - The group and any public projects can be viewed without any authentication.',
   ),
   internal: __(
-    'Internal - The group and any internal projects can be viewed by any logged in user.',
+    'Internal - The group and any internal projects can be viewed by any logged in user except external users.',
   ),
   private: __('Private - The group and its projects can only be viewed by members.'),
 };
 
 export const PROJECT_VISIBILITY_TYPE = {
   public: __('Public - The project can be accessed without any authentication.'),
-  internal: __('Internal - The project can be accessed by any logged in user.'),
+  internal: __(
+    'Internal - The project can be accessed by any logged in user except external users.',
+  ),
   private: __(
     'Private - Project access must be granted explicitly to each user. If this project is part of a group, access will be granted to members of the group.',
   ),

app/assets/javascripts/snippets/components/snippet_header.vue

@@ -120,7 +120,7 @@ export default {
             ? __('The snippet is visible only to project members.')
             : __('The snippet is visible only to me.');
         case 'internal':
-          return __('The snippet is visible to any logged in user.');
+          return __('The snippet is visible to any logged in user except external users.');
         default:
           return __('The snippet can be accessed without any authentication.');
       }

app/assets/javascripts/snippets/constants.js

@@ -14,7 +14,7 @@ export const SNIPPET_VISIBILITY = {
   [SNIPPET_VISIBILITY_INTERNAL]: {
     label: __('Internal'),
     icon: 'shield',
-    description: __('The snippet is visible to any logged in user.'),
+    description: __('The snippet is visible to any logged in user except external users.'),
   },
   [SNIPPET_VISIBILITY_PUBLIC]: {
     label: __('Public'),

app/helpers/visibility_level_helper.rb

@@ -31,7 +31,7 @@ module VisibilityLevelHelper
     when Gitlab::VisibilityLevel::PRIVATE
       _("Project access must be granted explicitly to each user. If this project is part of a group, access will be granted to members of the group.")
     when Gitlab::VisibilityLevel::INTERNAL
-      _("The project can be accessed by any logged in user.")
+      _("The project can be accessed by any logged in user except external users.")
     when Gitlab::VisibilityLevel::PUBLIC
       _("The project can be accessed without any authentication.")
     end
@@ -42,7 +42,7 @@ module VisibilityLevelHelper
     when Gitlab::VisibilityLevel::PRIVATE
       _("The group and its projects can only be viewed by members.")
     when Gitlab::VisibilityLevel::INTERNAL
-      _("The group and any internal projects can be viewed by any logged in user.")
+      _("The group and any internal projects can be viewed by any logged in user except external users.")
     when Gitlab::VisibilityLevel::PUBLIC
       _("The group and any public projects can be viewed without any authentication.")
     end

app/views/projects/settings/ci_cd/_form.html.haml

@@ -72,7 +72,7 @@
                 %li
                   = _("For public projects, anyone can view pipelines and access job details (output logs and artifacts)")
                 %li
-                  = _("For internal projects, any logged in user can view pipelines and access job details (output logs and artifacts)")
+                  = _("For internal projects, any logged in user except external users can view pipelines and access job details (output logs and artifacts)")
                 %li
                   = _("For private projects, any member (guest or higher) can view pipelines and access job details (output logs and artifacts)")
               %p

changelogs/unreleased/46087.yml

+---
+title: Clarify that external users cannot access all internal projects, groups, and snippets
+merge_request: 46087
+author: Ben Bodenmiller (@bbodenmiller)
+type: other

doc/api/project_snippets.md

@@ -17,7 +17,7 @@ Constants for snippet visibility levels are:
 | visibility | Description |
 | ---------- | ----------- |
 | `private`  | The snippet is visible only the snippet creator |
-| `internal` | The snippet is visible for any logged in user |
+| `internal` | The snippet is visible for any logged in user except [external users](../user/permissions.md#external-users) |
 | `public`   | The snippet can be accessed without any authentication |
 
 NOTE: **Note:**

doc/api/projects.md

@@ -16,7 +16,7 @@ Values for the project visibility level are:
 - `private`:
   Project access must be granted explicitly for each user.
 - `internal`:
-  The project can be cloned by any logged in user.
+  The project can be cloned by any logged in user except [external users](../user/permissions.md#external-users).
 - `public`:
   The project can be accessed without any authentication.
 

doc/api/snippets.md

@@ -21,7 +21,7 @@ Valid values for snippet visibility levels are:
 | Visibility | Description                                         |
 |:-----------|:----------------------------------------------------|
 | `private`  | Snippet is visible only to the snippet creator.     |
-| `internal` | Snippet is visible for any logged in user.          |
+| `internal` | Snippet is visible for any logged in user except [external users](../user/permissions.md#external-users).          |
 | `public`   | Snippet can be accessed without any authentication. |
 
 ## List all snippets for a user

doc/ci/pipelines/settings.md

@@ -183,7 +183,7 @@ Job logs and artifacts are [not visible for guest users and non-project members]
 If **Public pipelines** is enabled (default):
 
 - For **public** projects, anyone can view the pipelines and related features.
-- For **internal** projects, any logged in user can view the pipelines
+- For **internal** projects, any logged in user except [external users](../../user/permissions.md#external-users) can view the pipelines
   and related features.
 - For **private** projects, any project member (guest or higher) can view the pipelines
   and related features.
@@ -192,7 +192,7 @@ If **Public pipelines** is disabled:
 
 - For **public** projects, anyone can view the pipelines, but only members
   (reporter or higher) can access the related features.
-- For **internal** projects, any logged in user can view the pipelines.
+- For **internal** projects, any logged in user except [external users](../../user/permissions.md#external-users) can view the pipelines.
   However, only members (reporter or higher) can access the job related features.
 - For **private** projects, only project members (reporter or higher)
   can view the pipelines or access the related features.

doc/public_access/public_access.md

@@ -21,12 +21,12 @@ on the repository.
 
 ### Internal projects
 
-Internal projects can be cloned by any logged in user.
+Internal projects can be cloned by any logged in user except [external users](../user/permissions.md#external-users).
 
 They will also be listed in the public access directory (`/public`), but only for logged
 in users.
 
-Any logged in user will have [Guest permissions](../user/permissions.md)
+Any logged in user except [external users](../user/permissions.md#external-users) will have [Guest permissions](../user/permissions.md)
 on the repository.
 
 NOTE: **Note:**

doc/user/permissions.md

@@ -314,6 +314,10 @@ External users:
 - Can only access public projects and projects to which they are explicitly granted access,
   thus hiding all other internal or private ones from them (like being
   logged out).
+- Can only access public groups and groups to which they are explicitly granted access,
+  thus hiding all other internal or private ones from them (like being
+  logged out).
+- Can only access public snippets.
 
 Access can be granted by adding the user as member to the project or group.
 Like usual users, they receive a role in the project or group with all

ee/spec/helpers/ee/registrations_helper_spec.rb

@@ -101,7 +101,7 @@ RSpec.describe EE::RegistrationsHelper do
     it 'returns the desired mapping' do
       expect(helper.visibility_level_options).to eq [
         { level: 0, label: 'Private', description: 'The group and its projects can only be viewed by members.' },
-        { level: 10, label: 'Internal', description: 'The group and any internal projects can be viewed by any logged in user.' },
+        { level: 10, label: 'Internal', description: 'The group and any internal projects can be viewed by any logged in user except external users.' },
         { level: 20, label: 'Public', description: 'The group and any public projects can be viewed without any authentication.' }
       ]
     end

locale/gitlab.pot

@@ -11783,7 +11783,7 @@ msgstr ""
 msgid "For help setting up the Service Desk for your instance, please contact an administrator."
 msgstr ""
 
-msgid "For internal projects, any logged in user can view pipelines and access job details (output logs and artifacts)"
+msgid "For internal projects, any logged in user except external users can view pipelines and access job details (output logs and artifacts)"
 msgstr ""
 
 msgid "For more info, read the documentation."
@@ -14418,10 +14418,10 @@ msgstr ""
 msgid "Internal"
 msgstr ""
 
-msgid "Internal - The group and any internal projects can be viewed by any logged in user."
+msgid "Internal - The group and any internal projects can be viewed by any logged in user except external users."
 msgstr ""
 
-msgid "Internal - The project can be accessed by any logged in user."
+msgid "Internal - The project can be accessed by any logged in user except external users."
 msgstr ""
 
 msgid "Internal URL (optional)"
@@ -26477,7 +26477,7 @@ msgstr ""
 msgid "The global settings require you to enable Two-Factor Authentication for your account."
 msgstr ""
 
-msgid "The group and any internal projects can be viewed by any logged in user."
+msgid "The group and any internal projects can be viewed by any logged in user except external users."
 msgstr ""
 
 msgid "The group and any public projects can be viewed without any authentication."
@@ -26588,7 +26588,7 @@ msgstr ""
 msgid "The private key to use when a client certificate is provided. This value is encrypted at rest."
 msgstr ""
 
-msgid "The project can be accessed by any logged in user."
+msgid "The project can be accessed by any logged in user except external users."
 msgstr ""
 
 msgid "The project can be accessed by any user who is logged in."
@@ -26663,7 +26663,7 @@ msgstr ""
 msgid "The snippet is visible only to project members."
 msgstr ""
 
-msgid "The snippet is visible to any logged in user."
+msgid "The snippet is visible to any logged in user except external users."
 msgstr ""
 
 msgid "The specified tab is invalid, please select another"

spec/frontend/groups/mock_data.js

@@ -7,13 +7,14 @@ export const ITEM_TYPE = {
 
 export const GROUP_VISIBILITY_TYPE = {
   public: 'Public - The group and any public projects can be viewed without any authentication.',
-  internal: 'Internal - The group and any internal projects can be viewed by any logged in user.',
+  internal:
+    'Internal - The group and any internal projects can be viewed by any logged in user except external users.',
   private: 'Private - The group and its projects can only be viewed by members.',
 };
 
 export const PROJECT_VISIBILITY_TYPE = {
   public: 'Public - The project can be accessed without any authentication.',
-  internal: 'Internal - The project can be accessed by any logged in user.',
+  internal: 'Internal - The project can be accessed by any logged in user except external users.',
   private:
     'Private - Project access must be granted explicitly to each user. If this project is part of a group, access will be granted to members of the group.',
 };