Update topic for CTRT principles

- https://gitlab.com/gitlab-org/gitlab/-/merge_requests/81120

Update topic for CTRT principles
- https://gitlab.com/gitlab-org/gitlab/-/merge_requests/81120
b751e22c · Evan Read · Paul Slaughter · 4962d32d · b751e22c · b751e22c
Commit b751e22c authored Feb 28, 2022 by Evan Read Committed by Paul Slaughter Feb 28, 2022
13 changed files
--- a/app/views/projects/pages/_ssl_limitations_warning.html.haml
+++ b/app/views/projects/pages/_ssl_limitations_warning.html.haml
@@ -2,6 +2,6 @@
  = sprite_icon("warning-solid", css_class: "gl-text-orange-600")
  %strong= _("Warning:")
  - pages_host = Gitlab.config.pages.host
-  - docs_link_start = "<a href='#{help_page_path('user/project/pages/introduction', anchor: 'limitations')}' target='_blank' rel='noopener noreferrer'>".html_safe
+  - docs_link_start = "<a href='#{help_page_path('user/project/pages/introduction', anchor: 'subdomains-of-subdomains')}' target='_blank' rel='noopener noreferrer'>".html_safe
  - link_end = '</a>'.html_safe
-  = s_("GitLabPages|When using Pages under the general domain of a GitLab instance (%{pages_host}), you cannot use HTTPS with sub-subdomains. This means that if your username/groupname contains a dot it will not work. This is a limitation of the HTTP Over TLS protocol. HTTP pages will continue to work provided you don't redirect HTTP to HTTPS. %{docs_link_start}Learn more.%{link_end}").html_safe % { pages_host: pages_host, docs_link_start: docs_link_start, link_end: link_end }
+  = s_("GitLabPages|When using Pages under the general domain of a GitLab instance (%{pages_host}), you cannot use HTTPS with subdomains of subdomains. If your namespace or groupname contains a dot, it does not work. This is a limitation of the HTTP Over TLS protocol. HTTP pages work if you don't redirect HTTP to HTTPS. %{docs_link_start}Learn more.%{link_end}").html_safe % { pages_host: pages_host, docs_link_start: docs_link_start, link_end: link_end }
--- a/doc/administration/get_started.md
+++ b/doc/administration/get_started.md
@@ -39,8 +39,8 @@ Get started:
 - Create a [project](../user/project/working_with_projects.md#create-a-project).
 - Create a [group](../user/group/index.md#create-a-group).
 - [Add members](../user/group/index.md#add-users-to-a-group) to the group.
- Create a [subgroup](../user/group/subgroups/index.md#creating-a-subgroup).
- [Add members](../user/group/subgroups/index.md#membership) to the subgroup.
+- Create a [subgroup](../user/group/subgroups/index.md#create-a-subgroup).
+- [Add members](../user/group/subgroups/index.md#subgroup-membership) to the subgroup.
 - Enable [external authorization control](../user/admin_area/settings/external_authorization.md#configuration).

 **More resources**
@@ -49,7 +49,7 @@ Get started:
 - Sync group memberships [by using LDAP](../administration/auth/ldap/ldap_synchronization.md#group-sync).
 - Manage user access with inherited permissions. Use up to 20 levels of subgroups to organize both teams and projects.
  - Learn more about [inherited permissions](../user/project/members/index.md#inherited-membership).
-  - View [nested category examples](../user/group/subgroups/index.md#overview).
+  - View an [example](../user/group/subgroups/index.md).

 ## Import projects


--- a/doc/api/groups.md
+++ b/doc/api/groups.md
@@ -796,7 +796,7 @@ Parameters:
 | `two_factor_grace_period`                               | integer | no       | Time before Two-factor authentication is enforced (in hours). |
 | `project_creation_level`                                | string  | no       | Determine if developers can create projects in the group. Can be `noone` (No one), `maintainer` (users with the Maintainer role), or `developer` (users with the Developer or Maintainer role). |
 | `auto_devops_enabled`                                   | boolean | no       | Default to Auto DevOps pipeline for all projects within this group. |
-| `subgroup_creation_level`                               | string  | no       | Allowed to [create subgroups](../user/group/subgroups/index.md#creating-a-subgroup). Can be `owner` (Owners), or `maintainer` (users with the Maintainer role). |
+| `subgroup_creation_level`                               | string  | no       | Allowed to [create subgroups](../user/group/subgroups/index.md#create-a-subgroup). Can be `owner` (Owners), or `maintainer` (users with the Maintainer role). |
 | `emails_disabled`                                       | boolean | no       | Disable email notifications |
 | `avatar`                                                | mixed   | no       | Image file for avatar of the group. [Introduced in GitLab 12.9](https://gitlab.com/gitlab-org/gitlab/-/issues/36681) |
 | `mentions_disabled`                                     | boolean | no       | Disable the capability of a group from getting mentioned |
@@ -859,7 +859,7 @@ curl --request POST --header "PRIVATE-TOKEN: <your_access_token>" \
 Transfer a group to a new parent group or turn a subgroup to a top-level group. Available to administrators and users:

 - With the Owner role for the group to transfer.
- With permission to [create a subgroup](../user/group/subgroups/index.md#creating-a-subgroup) in the new parent group if transferring a group.
+- With permission to [create a subgroup](../user/group/subgroups/index.md#create-a-subgroup) in the new parent group if transferring a group.
 - With [permission to create a top-level group](../administration/user_settings.md#prevent-users-from-creating-top-level-groups) if turning a subgroup into a top-level group.

 ```plaintext
@@ -899,7 +899,7 @@ PUT /groups/:id
 | `two_factor_grace_period`                               | integer | no       | Time before Two-factor authentication is enforced (in hours). |
 | `project_creation_level`                                | string  | no       | Determine if developers can create projects in the group. Can be `noone` (No one), `maintainer` (users with the Maintainer role), or `developer` (users with the Developer or Maintainer role). |
 | `auto_devops_enabled`                                   | boolean | no       | Default to Auto DevOps pipeline for all projects within this group. |
-| `subgroup_creation_level`                               | string  | no       | Allowed to [create subgroups](../user/group/subgroups/index.md#creating-a-subgroup). Can be `owner` (Owners), or `maintainer` (users with the Maintainer role). |
+| `subgroup_creation_level`                               | string  | no       | Allowed to [create subgroups](../user/group/subgroups/index.md#create-a-subgroup). Can be `owner` (Owners), or `maintainer` (users with the Maintainer role). |
 | `emails_disabled`                                       | boolean | no       | Disable email notifications |
 | `avatar`                                                | mixed   | no       | Image file for avatar of the group. [Introduced in GitLab 12.9](https://gitlab.com/gitlab-org/gitlab/-/issues/36681) |
 | `mentions_disabled`                                     | boolean | no       | Disable the capability of a group from getting mentioned |

--- a/doc/user/admin_area/index.md
+++ b/doc/user/admin_area/index.md
@@ -224,6 +224,17 @@ You must be an administrator to manually add emails to users:

 The [Cohorts](user_cohorts.md) tab displays the monthly cohorts of new users and their activities over time.

+### Prevent a user from creating groups
+
+By default, users can create groups. To prevent a user from creating groups:
+
+1. On the top bar, select **Menu > Admin**.
+1. On the left sidebar, select **Overview > Users** (`/admin/users`).
+1. Locate the user and select them.
+1. Select **Edit**.
+1. Clear the **Can create group** checkbox.
+1. Select **Save changes**.
+
 ### Administering Groups

 You can administer all groups in the GitLab instance from the Admin Area's Groups page.

--- a/doc/user/discussions/index.md
+++ b/doc/user/discussions/index.md
@@ -36,10 +36,9 @@ Each object can have as many as 5,000 comments.

 ## Mentions

-You can mention a user or a group present in your GitLab instance with `@username` or
-`@groupname`. All mentioned users are notified with to-do items and emails.
-Users can change this setting for themselves in the
-[notification settings](../profile/notifications.md).
+You can mention a user or a group (including [subgroups](../group/subgroups/index.md#mention-subgroups)) in your GitLab
+instance with `@username` or `@groupname`. All mentioned users are notified with to-do items and emails.
+Users can change this setting for themselves in the [notification settings](../profile/notifications.md).

 You can quickly see which comments involve you, because
 mentions for yourself (the user currently signed in) are highlighted

--- a/doc/user/group/subgroups/img/mention_subgroups.png
+++ b/doc/user/group/subgroups/img/mention_subgroups.png
--- a/doc/user/group/subgroups/index.md
+++ b/doc/user/group/subgroups/index.md
--- a/doc/user/permissions.md
+++ b/doc/user/permissions.md
@@ -431,8 +431,7 @@ The following table lists group permissions available for each role:

 <!-- markdownlint-disable MD029 -->

-1. Groups can be set to [allow either Owners or Owners and
-  Maintainers to create subgroups](group/subgroups/index.md#creating-a-subgroup)
+1. Groups can be set to allow either Owners, or Owners and users with the Maintainer role, to [create subgroups](group/subgroups/index.md#create-a-subgroup).
 2. Introduced in GitLab 12.2.
 3. Default project creation role can be changed at:
   - The [instance level](admin_area/settings/visibility_and_access_controls.md#define-which-roles-can-create-projects).
@@ -451,7 +450,7 @@ permission level from the parent group(s). This model allows access to
 nested groups if you have membership in one of its parents.

 To learn more, read through the documentation on
-[subgroups memberships](group/subgroups/index.md#membership).
+[subgroups memberships](group/subgroups/index.md#subgroup-membership).

 ## External users **(FREE SELF)**


--- a/doc/user/project/members/share_project_with_groups.md
+++ b/doc/user/project/members/share_project_with_groups.md
@@ -15,7 +15,7 @@ Groups are used primarily to [create collections of projects](../../group/index.
 take advantage of the fact that groups define collections of _users_, namely the group
 members.

-## Sharing a project with a group of users
+## Share a project with a group of users

 NOTE:
 In GitLab 13.11, you can [replace this form with a modal window](#share-a-project-modal-window).
@@ -89,7 +89,15 @@ Feature.disable(:invite_members_group_modal)

 In the example above, the maximum access level of 'Developer' for members from 'Engineering' means that users with higher access levels in 'Engineering' ('Maintainer' or 'Owner') only have 'Developer' access to 'Project Acme'.

-## Sharing public project with private group
+### Share a project with a subgroup
+
+You can't share a project with a group that's an ancestor of a [subgroup](../../group/subgroups/index.md) the project is
+in. That means you can only share down the hierarchy. For example, `group/subgroup01/project`:
+
+- Can not be shared with `group`.
+- Can be shared with `group/subgroup02` or  `group/subgroup01/subgroup03`.
+
+## Share public project with private group

 When sharing a public project with a private group, owners and maintainers of the project see the name of the group in the `members` page. Owners also have the possibility to see members of the private group they don't have access to when mentioning them in the issue or merge request.


--- a/doc/user/project/merge_requests/approvals/rules.md
+++ b/doc/user/project/merge_requests/approvals/rules.md
@@ -175,7 +175,7 @@ granting them push access:
 1. [Create a new group](../../../group/index.md#create-a-group).
 1. [Add the user to the group](../../../group/index.md#add-users-to-a-group),
   and select the Reporter role for the user.
-1. [Share the project with your group](../../members/share_project_with_groups.md#sharing-a-project-with-a-group-of-users),
+1. [Share the project with your group](../../members/share_project_with_groups.md#share-a-project-with-a-group-of-users),
   based on the Reporter role.
 1. Go to your project and select **Settings > General**.
 1. Expand **Merge request (MR) approvals**.

--- a/doc/user/project/pages/getting_started_part_one.md
+++ b/doc/user/project/pages/getting_started_part_one.md
@@ -34,7 +34,7 @@ Pages domains are `*.gitlab.io`.
 | Project pages owned by a subgroup | `subgroup/projectname` | `http(s)://groupname.example.io/subgroup/projectname`|

 WARNING:
-There are some known [limitations](introduction.md#limitations)
+There are some known [limitations](introduction.md#subdomains-of-subdomains)
 regarding namespaces served under the general domain name and HTTPS.
 Make sure to read that section.


--- a/doc/user/project/pages/introduction.md
+++ b/doc/user/project/pages/introduction.md
@@ -76,17 +76,21 @@ website.

 ![Remove pages](img/remove_pages.png)

-## Limitations
+## Subdomains of subdomains

-When using Pages under the general domain of a GitLab instance (`*.example.io`),
-you _cannot_ use HTTPS with sub-subdomains. That means that if your
-username or group name contains a dot, for example `foo.bar`, the domain
-`https://foo.bar.example.io` does _not_ work. This is a limitation of the
-[HTTP Over TLS protocol](https://tools.ietf.org/html/rfc2818#section-3.1).
-HTTP pages continue to work provided you don't redirect HTTP to HTTPS.
+When using Pages under the top-level domain of a GitLab instance (`*.example.io`), you can't use HTTPS with subdomains
+of subdomains. If your namespace or group name contains a dot (for example, `foo.bar`) the domain
+`https://foo.bar.example.io` does _not_ work.

-GitLab Pages [does **not** support group websites for subgroups](../../group/subgroups/index.md#limitations).
-You can only create the highest-level group website.
+This limitation is because of the [HTTP Over TLS protocol](https://tools.ietf.org/html/rfc2818#section-3.1). HTTP pages
+work as long as you don't redirect HTTP to HTTPS.
+
+## GitLab Pages and subgroups
+
+You must host your GitLab Pages website in a project. This project can belong to a [group](../../group/index.md) or
+[subgroup](../../group/subgroups/index.md). For
+[group websites](../../project/pages/getting_started_part_one.md#gitlab-pages-default-domain-names), the group must be
+at the top level and not a subgroup.

 ## Specific configuration options for Pages


--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -16702,7 +16702,7 @@ msgstr ""
 msgid "GitLabPages|When enabled, all attempts to visit your website through HTTP are automatically redirected to HTTPS using a response with status code 301. Requires a valid certificate for all domains. %{docs_link_start}Learn more.%{link_end}"
 msgstr ""

-msgid "GitLabPages|When using Pages under the general domain of a GitLab instance (%{pages_host}), you cannot use HTTPS with sub-subdomains. This means that if your username/groupname contains a dot it will not work. This is a limitation of the HTTP Over TLS protocol. HTTP pages will continue to work provided you don't redirect HTTP to HTTPS. %{docs_link_start}Learn more.%{link_end}"
+msgid "GitLabPages|When using Pages under the general domain of a GitLab instance (%{pages_host}), you cannot use HTTPS with subdomains of subdomains. If your namespace or groupname contains a dot, it does not work. This is a limitation of the HTTP Over TLS protocol. HTTP pages work if you don't redirect HTTP to HTTPS. %{docs_link_start}Learn more.%{link_end}"
 msgstr ""

 msgid "GitLabPages|With GitLab Pages you can host your static website directly from your GitLab repository. %{docs_link_start}Learn more.%{link_end}"