Rename to minimal access

From unassigned, in all related files

fix

Add cr remarks

Start with new concept

Update scope per maintainer recommendation

app/controllers/admin/groups_controller.rb

@@ -83,7 +83,7 @@ class Admin::GroupsController < Admin::ApplicationController
   end
 
   def group_members
-    @group.members.non_unassigned
+    @group.members
   end
 
   def group_params

app/finders/group_members_finder.rb

@@ -19,7 +19,7 @@ class GroupMembersFinder < UnionFinder
 
   # rubocop: disable CodeReuse/ActiveRecord
   def execute(include_relations: [:inherited, :direct])
-    group_members = group.members.non_unassigned
+    group_members = group.members
     relations = []
 
     return group_members if include_relations == [:direct]
@@ -27,7 +27,7 @@ class GroupMembersFinder < UnionFinder
     relations << group_members if include_relations.include?(:direct)
 
     if include_relations.include?(:inherited) && group.parent
-      parents_members = GroupMember.non_request.non_unassigned
+      parents_members = GroupMember.non_request.non_minimal_access
         .where(source_id: group.ancestors.select(:id))
         .where.not(user_id: group.users.select(:id))
 
@@ -35,7 +35,7 @@ class GroupMembersFinder < UnionFinder
     end
 
     if include_relations.include?(:descendants)
-      descendant_members = GroupMember.non_request.non_unassigned
+      descendant_members = GroupMember.non_request.non_minimal_access
         .where(source_id: group.descendants.select(:id))
         .where.not(user_id: group.users.select(:id))
 

app/finders/members_finder.rb

@@ -63,7 +63,7 @@ class MembersFinder
   def direct_group_members(include_descendants)
     requested_relations = [:inherited, :direct]
     requested_relations << :descendants if include_descendants
-    GroupMembersFinder.new(group).execute(include_relations: requested_relations).non_invite.non_unassigned # rubocop: disable CodeReuse/Finder
+    GroupMembersFinder.new(group).execute(include_relations: requested_relations).non_invite.non_minimal_access # rubocop: disable CodeReuse/Finder
   end
 
   def project_invited_groups_members
@@ -73,7 +73,7 @@ class MembersFinder
       .public_or_visible_to_user(current_user)
       .select(:id)
 
-    GroupMember.with_source_id(invited_groups_ids_including_ancestors).non_unassigned
+    GroupMember.with_source_id(invited_groups_ids_including_ancestors).non_minimal_access
   end
 
   def distinct_union_of_members(union_members)

app/models/concerns/loaded_in_group_list.rb

@@ -54,7 +54,7 @@ module LoadedInGroupList
         .where(members[:source_type].eq(Namespace.name))
         .where(members[:source_id].eq(namespaces[:id]))
         .where(members[:requested_at].eq(nil))
-        .where(members[:access_level].gt(Gitlab::Access::UNASSIGNED))
+        .where(members[:access_level].gt(Gitlab::Access::MINIMAL_ACCESS))
     end
   end
 
@@ -71,7 +71,7 @@ module LoadedInGroupList
   end
 
   def member_count
-    @member_count ||= try(:preloaded_member_count) || full_access_members.count
+    @member_count ||= try(:preloaded_member_count) || members.count
   end
 end
 

app/models/group.rb

@@ -20,9 +20,9 @@ class Group < Namespace
 
   UpdateSharedRunnersError = Class.new(StandardError)
 
-  has_many :group_members, -> { where(requested_at: nil) }, dependent: :destroy, as: :source # rubocop:disable Cop/ActiveRecordDependent
+  has_many :all_group_members, -> { where(requested_at: nil) }, dependent: :destroy, as: :source, class_name: 'GroupMember' # rubocop:disable Cop/ActiveRecordDependent
+  has_many :group_members, -> { where(requested_at: nil).where.not(members: { access_level: Gitlab::Access::MINIMAL_ACCESS }) }, dependent: :destroy, as: :source # rubocop:disable Cop/ActiveRecordDependent
   alias_method :members, :group_members
-  has_many :full_access_members, -> { where(requested_at: nil).where.not(access_level: Gitlab::Access::UNASSIGNED) }, dependent: :destroy, as: :source, class_name: 'GroupMember' # rubocop:disable Cop/ActiveRecordDependent
 
   has_many :users, through: :group_members
   has_many :owners,
@@ -270,7 +270,7 @@ class Group < Namespace
     add_user(user, :owner, current_user: current_user)
   end
 
-  def member?(user, min_access_level = Gitlab::Access::UNASSIGNED)
+  def member?(user, min_access_level = Gitlab::Access::GUEST)
     return false unless user
 
     max_member_access_for_user(user) >= min_access_level
@@ -328,7 +328,7 @@ class Group < Namespace
   # rubocop: enable CodeReuse/ServiceClass
 
   def user_ids_for_project_authorizations
-    members_with_parents.non_unassigned.pluck(:user_id)
+    members_with_parents.pluck(:user_id)
   end
 
   def self_and_ancestors_ids
@@ -347,6 +347,7 @@ class Group < Namespace
       end
 
     group_hierarchy_members = GroupMember.active_without_invites_and_requests
+                                         .non_minimal_access
                                          .where(source_id: source_ids)
 
     GroupMember.from_union([group_hierarchy_members,
@@ -354,7 +355,7 @@ class Group < Namespace
   end
 
   def members_from_self_and_ancestors_with_effective_access_level
-    members_with_parents.non_unassigned.select([:user_id, 'MAX(access_level) AS access_level'])
+    members_with_parents.select([:user_id, 'MAX(access_level) AS access_level'])
                         .group(:user_id)
   end
 
@@ -398,7 +399,7 @@ class Group < Namespace
   end
 
   def users_count
-    members.non_unassigned.count
+    members.count
   end
 
   # Returns all users that are members of projects

app/models/member.rb

@@ -84,7 +84,7 @@ class Member < ApplicationRecord
   scope :developers, -> { active.where(access_level: DEVELOPER) }
   scope :maintainers, -> { active.where(access_level: MAINTAINER) }
   scope :non_guests, -> { where('members.access_level > ?', GUEST) }
-  scope :non_unassigned, -> { where('members.access_level > ?', UNASSIGNED) }
+  scope :non_minimal_access, -> { where('members.access_level > ?', MINIMAL_ACCESS) }
   scope :owners, -> { active.where(access_level: OWNER) }
   scope :owners_and_maintainers, -> { active.where(access_level: [OWNER, MAINTAINER]) }
   scope :with_user, -> (user) { where(user: user) }

ee/app/models/ee/group.rb

@@ -401,8 +401,17 @@ module EE
       root_ancestor.saml_provider&.prohibited_outer_forks?
     end
 
-    def unassigned_role_allowed?
-      feature_available?(:unassigned_role) && !has_parent?
+    def minimal_access_role_allowed?
+      feature_available?(:minimal_access_role) && !has_parent?
+    end
+
+    override :member?
+    def member?(user, min_access_level = minimal_member_access_level)
+      super
+    end
+
+    def minimal_member_access_level
+      minimal_access_role_allowed? ? ::Gitlab::Access::MINIMAL_ACCESS : ::Gitlab::Access::GUEST
     end
 
     private

ee/app/models/ee/user.rb

@@ -44,8 +44,8 @@ module EE
       has_many :approvals,                dependent: :destroy # rubocop: disable Cop/ActiveRecordDependent
       has_many :approvers,                dependent: :destroy # rubocop: disable Cop/ActiveRecordDependent
 
-      has_many :unassigned_group_members, -> { where(access_level: [Gitlab::Access::UNASSIGNED]) }, source: 'GroupMember', class_name: 'GroupMember'
-      has_many :unassigned_groups, through: :unassigned_group_members, source: :group
+      has_many :minimal_access_group_members, -> { where(access_level: [Gitlab::Access::MINIMAL_ACCESS]) }, source: 'GroupMember', class_name: 'GroupMember'
+      has_many :minimal_access_groups, through: :minimal_access_group_members, source: :group
 
       has_many :users_ops_dashboard_projects
       has_many :ops_dashboard_projects, through: :users_ops_dashboard_projects, source: :project

ee/app/models/license.rb

@@ -108,7 +108,7 @@ class License < ApplicationRecord
     smartcard_auth
     group_timelogs
     type_of_work_analytics
-    unassigned_role
+    minimal_access_role
     unprotection_restrictions
     ci_project_subscriptions
   ]

ee/lib/ee/gitlab/access.rb

@@ -16,9 +16,9 @@ module EE
           @vulnerability_access_levels ||= options_with_owner.except('Guest')
         end
 
-        def options_with_unassigned
+        def options_with_minimal_access
           options_with_owner.merge(
-            "Unassigned" => ::Gitlab::Access::UNASSIGNED
+            "Minimal Access" => ::Gitlab::Access::MINIMAL_ACCESS
           )
         end
       end

ee/spec/models/group_spec.rb

@@ -668,12 +668,12 @@ RSpec.describe Group do
     end
   end
 
-  describe '#unassigned_role_allowed?' do
-    subject { group.unassigned_role_allowed? }
+  describe '#minimal_access_role_allowed?' do
+    subject { group.minimal_access_role_allowed? }
 
     context 'licensed' do
       before do
-        stub_licensed_features(unassigned_role: true)
+        stub_licensed_features(minimal_access_role: true)
       end
 
       it 'returns true for licensed instance' do
@@ -681,13 +681,13 @@ RSpec.describe Group do
       end
 
       it 'returns false for subgroup in licensed instance' do
-        expect(create(:group, parent: group).unassigned_role_allowed?).to be false
+        expect(create(:group, parent: group).minimal_access_role_allowed?).to be false
       end
     end
 
     context 'unlicensed' do
       before do
-        stub_licensed_features(unassigned_role: false)
+        stub_licensed_features(minimal_access_role: false)
       end
 
       it 'returns false unlicensed instance' do
@@ -696,6 +696,43 @@ RSpec.describe Group do
     end
   end
 
+  describe '#member?' do
+    subject { group.member?(user) }
+
+    let(:group) { create(:group) }
+    let(:user) { create(:user) }
+
+    context 'with `minimal_access_role` not licensed' do
+      before do
+        stub_licensed_features(minimal_access_role: false)
+        create(:group_member, :minimal_access, user: user, group: group)
+      end
+
+      it { is_expected.to be_falsey }
+    end
+
+    context 'with `minimal_access_role` licensed' do
+      before do
+        stub_licensed_features(minimal_access_role: true)
+        create(:group_member, :minimal_access, user: user, group: group)
+      end
+
+      context 'when group is a subgroup' do
+        let(:group) { create(:group, parent: create(:group)) }
+
+        it { is_expected.to be_falsey }
+      end
+
+      context 'when group is a top-level group' do
+        it { is_expected.to be_truthy }
+
+        it 'accepts higher level as argument' do
+          expect(group.member?(user, ::Gitlab::Access::DEVELOPER)).to be_falsey
+        end
+      end
+    end
+  end
+
   describe '#saml_discovery_token' do
     it 'returns existing tokens' do
       group = create(:group, saml_discovery_token: 'existing')

lib/gitlab/access.rb

@@ -10,7 +10,7 @@ module Gitlab
     AccessDeniedError = Class.new(StandardError)
 
     NO_ACCESS      = 0
-    UNASSIGNED     = 5
+    MINIMAL_ACCESS = 5
     GUEST          = 10
     REPORTER       = 20
     DEVELOPER      = 30

lib/gitlab/project_authorizations.rb

@@ -99,7 +99,7 @@ module Gitlab
         .and(members[:source_type].eq('Namespace'))
         .and(members[:requested_at].eq(nil))
         .and(members[:user_id].eq(user.id))
-        .and(members[:access_level].gt(Gitlab::Access::UNASSIGNED))
+        .and(members[:access_level].gt(Gitlab::Access::MINIMAL_ACCESS))
 
       Arel::Nodes::OuterJoin.new(members, Arel::Nodes::On.new(cond))
     end
@@ -120,7 +120,7 @@ module Gitlab
                     .and(members[:source_type].eq('Namespace'))
                     .and(members[:requested_at].eq(nil))
                     .and(members[:user_id].eq(user.id))
-                    .and(members[:access_level].gt(Gitlab::Access::UNASSIGNED))
+                    .and(members[:access_level].gt(Gitlab::Access::MINIMAL_ACCESS))
       Arel::Nodes::InnerJoin.new(members, Arel::Nodes::On.new(cond))
     end
 

spec/factories/group_members.rb

@@ -29,10 +29,10 @@ FactoryBot.define do
       after(:build) { |group_member, _| group_member.user.block! }
     end
 
-    trait :unassigned do
+    trait :minimal_access do
       to_create { |instance| instance.save!(validate: false) }
 
-      access_level { GroupMember::UNASSIGNED }
+      access_level { GroupMember::MINIMAL_ACCESS }
     end
   end
 end

spec/finders/group_members_finder_spec.rb

@@ -16,7 +16,7 @@ RSpec.describe GroupMembersFinder, '#execute' do
     member1 = group.add_maintainer(user1)
     member2 = group.add_maintainer(user2)
     member3 = group.add_maintainer(user3)
-    create(:group_member, :unassigned, user: create(:user), group: group)
+    create(:group_member, :minimal_access, user: create(:user), group: group)
 
     result = described_class.new(group).execute
 

spec/finders/groups_finder_spec.rb

@@ -107,8 +107,8 @@ RSpec.describe GroupsFinder do
           end
 
           context 'being limited access member of parent group' do
-            it 'do not return group with unassigned access' do
-              create(:group_member, :unassigned, user: user, group: parent_group)
+            it 'do not return group with minimal_access access' do
+              create(:group_member, :minimal_access, user: user, group: parent_group)
 
               is_expected.to contain_exactly(public_subgroup, internal_subgroup)
             end

spec/finders/members_finder_spec.rb

@@ -45,12 +45,12 @@ RSpec.describe MembersFinder, '#execute' do
     expect(result).to contain_exactly(member1)
   end
 
-  it 'does not return members of parent group with unassigned access' do
+  it 'does not return members of parent group with minimal access' do
     nested_group.request_access(user1)
     member1 = group.add_maintainer(user2)
     member2 = nested_group.add_maintainer(user3)
     member3 = project.add_maintainer(user4)
-    create(:group_member, :unassigned, user: create(:user), group: group)
+    create(:group_member, :minimal_access, user: create(:user), group: group)
 
     result = described_class.new(project, user2).execute
 

spec/lib/gitlab/project_authorizations_spec.rb

@@ -115,7 +115,7 @@ RSpec.describe Gitlab::ProjectAuthorizations do
     end
   end
 
-  context 'user with unassigned access to group' do
+  context 'user with minimal access to group' do
     let_it_be(:group) { create(:group) }
     let_it_be(:user) { create(:user) }
 
@@ -125,7 +125,7 @@ RSpec.describe Gitlab::ProjectAuthorizations do
       let!(:group_project) { create(:project, namespace: group) }
 
       before do
-        create(:group_member, :unassigned, user: user, group: group)
+        create(:group_member, :minimal_access, user: user, group: group)
       end
 
       it 'does not create authorization' do
@@ -138,7 +138,7 @@ RSpec.describe Gitlab::ProjectAuthorizations do
       let!(:sub_group_project) { create(:project, namespace: sub_group) }
 
       before do
-        create(:group_member, :unassigned, user: user, group: group)
+        create(:group_member, :minimal_access, user: user, group: group)
       end
 
       it 'does not create authorization' do
@@ -152,7 +152,7 @@ RSpec.describe Gitlab::ProjectAuthorizations do
 
       before do
         create(:group_group_link, shared_group: shared_group, shared_with_group: group)
-        create(:group_member, :unassigned, user: user, group: group)
+        create(:group_member, :minimal_access, user: user, group: group)
       end
 
       it 'does not create authorization' do
@@ -166,7 +166,7 @@ RSpec.describe Gitlab::ProjectAuthorizations do
 
       before do
         create(:project_group_link, group: group, project: shared_project)
-        create(:group_member, :unassigned, user: user, group: group)
+        create(:group_member, :minimal_access, user: user, group: group)
       end
 
       it 'does not create authorization' do

spec/models/group_spec.rb

@@ -692,7 +692,7 @@ RSpec.describe Group do
     before do
       create(:group_member, user: user, group: group_parent, access_level: parent_group_access_level)
       create(:group_member, user: user, group: group, access_level: group_access_level)
-      create(:group_member, :unassigned, user: create(:user), group: group)
+      create(:group_member, :minimal_access, user: create(:user), group: group)
       create(:group_member, user: user, group: group_child, access_level: child_group_access_level)
     end
 

spec/models/member_spec.rb

@@ -149,7 +149,7 @@ RSpec.describe Member do
 
       accepted_request_user = create(:user).tap { |u| project.request_access(u) }
       @accepted_request_member = project.requesters.find_by(user_id: accepted_request_user.id).tap { |m| m.accept_request }
-      @member_unassigned = create(:group_member, :unassigned, group: group)
+      @member_with_minimal_access = create(:group_member, :minimal_access, group: group)
     end
 
     describe '.access_for_user_ids' do
@@ -180,13 +180,13 @@ RSpec.describe Member do
       it { expect(described_class.non_invite).to include @accepted_request_member }
     end
 
-    describe '.non_unassigned' do
-      it { expect(described_class.non_unassigned).to include @maintainer }
-      it { expect(described_class.non_unassigned).to include @invited_member }
-      it { expect(described_class.non_unassigned).to include @accepted_invite_member }
-      it { expect(described_class.non_unassigned).to include @requested_member }
-      it { expect(described_class.non_unassigned).to include @accepted_request_member }
-      it { expect(described_class.non_unassigned).not_to include @member_unassigned }
+    describe '.non_minimal_access' do
+      it { expect(described_class.non_minimal_access).to include @maintainer }
+      it { expect(described_class.non_minimal_access).to include @invited_member }
+      it { expect(described_class.non_minimal_access).to include @accepted_invite_member }
+      it { expect(described_class.non_minimal_access).to include @requested_member }
+      it { expect(described_class.non_minimal_access).to include @accepted_request_member }
+      it { expect(described_class.non_minimal_access).not_to include @member_with_minimal_access }
     end
 
     describe '.request' do

spec/services/authorized_project_update/project_create_service_spec.rb

@@ -81,7 +81,7 @@ RSpec.describe AuthorizedProjectUpdate::ProjectCreateService do
         before do
           create(:group_member, access_level: Gitlab::Access::REPORTER, group: group, user: group_user)
           create(:group_member, access_level: Gitlab::Access::MAINTAINER, group: shared_with_group, user: group_user)
-          create(:group_member, :unassigned, group: shared_with_group, user: create(:user))
+          create(:group_member, :minimal_access, group: shared_with_group, user: create(:user))
 
           create(:group_group_link, shared_group: group, shared_with_group: shared_with_group, group_access: Gitlab::Access::DEVELOPER)
 
@@ -99,7 +99,7 @@ RSpec.describe AuthorizedProjectUpdate::ProjectCreateService do
           expect(project_authorization).to exist
         end
 
-        it 'does not create project authorization for user with limited access' do
+        it 'does not create project authorization for user with minimal access' do
           expect { service.execute }.to(
             change { ProjectAuthorization.count }.from(0).to(1))
         end
@@ -124,9 +124,9 @@ RSpec.describe AuthorizedProjectUpdate::ProjectCreateService do
       end
     end
 
-    context 'member with unassigned access' do
+    context 'member with minimal access' do
       before do
-        create(:group_member, :unassigned, user: group_user, group: group)
+        create(:group_member, :minimal_access, user: group_user, group: group)
       end
 
       it 'does not create project authorization' do

spec/services/authorized_project_update/project_group_link_create_service_spec.rb

@@ -112,9 +112,9 @@ RSpec.describe AuthorizedProjectUpdate::ProjectGroupLinkCreateService do
       end
     end
 
-    context 'unassigned member' do
+    context 'minimal access member' do
       before do
-        create(:group_member, :unassigned, user: group_user, group: group)
+        create(:group_member, :minimal_access, user: group_user, group: group)
       end
 
       it 'does not create project authorization' do