Add latest changes from gitlab-org/gitlab@master

.rubocop_todo/lint/missing_cop_enable_directive.yml

@@ -156,7 +156,6 @@ Lint/MissingCopEnableDirective:
     - 'lib/gitlab/background_migration/migrate_approver_to_approval_rules_check_progress.rb'
     - 'lib/gitlab/background_migration/migrate_approver_to_approval_rules_in_batch.rb'
     - 'lib/gitlab/background_migration/migrate_job_artifact_registry_to_ssf.rb'
-    - 'lib/gitlab/background_migration/migrate_stage_status.rb'
     - 'lib/gitlab/background_migration/migrate_u2f_webauthn.rb'
     - 'lib/gitlab/background_migration/populate_latest_pipeline_ids.rb'
     - 'lib/gitlab/background_migration/populate_resolved_on_default_branch_column.rb'
@@ -182,7 +181,6 @@ Lint/MissingCopEnableDirective:
     - 'lib/gitlab/patch/action_cable_redis_listener.rb'
     - 'lib/gitlab/patch/prependable.rb'
     - 'lib/gitlab/project_search_results.rb'
-    - 'lib/gitlab/task_helpers.rb'
     - 'lib/gitlab/testing/request_blocker_middleware.rb'
     - 'lib/gitlab/testing/request_inspector_middleware.rb'
     - 'lib/gitlab/testing/robots_blocker_middleware.rb'

.rubocop_todo/lint/mixed_regexp_capture_types.yml

@@ -10,7 +10,6 @@ Lint/MixedRegexpCaptureTypes:
     - 'lib/gitlab/diff/suggestions_parser.rb'
     - 'lib/gitlab/github_import/representation/note.rb'
     - 'lib/gitlab/metrics/system.rb'
-    - 'lib/gitlab/request_profiler/profile.rb'
     - 'lib/gitlab/slash_commands/issue_move.rb'
     - 'lib/gitlab/slash_commands/issue_new.rb'
     - 'lib/gitlab/slash_commands/run.rb'

app/assets/javascripts/batch_comments/components/draft_note.vue

@@ -113,7 +113,7 @@ export default {
         class="referenced-commands draft-note-commands"
       ></div>
 
-      <p class="draft-note-actions d-flex">
+      <p class="draft-note-actions d-flex" data-qa-selector="draft_note_content">
         <publish-button
           :show-count="true"
           :should-publish="false"

doc/administration/file_hooks.md

@@ -51,7 +51,7 @@ Follow the steps below to set up a custom hook:
    in any language, and ensure the 'shebang' at the top properly reflects the
    language type. For example, if the script is in Ruby the shebang will
    probably be `#!/usr/bin/env ruby`.
-1. The data to the file hook is provided as JSON on STDIN. It is exactly the
+1. The data to the file hook is provided as JSON on `STDIN`. It is exactly the
    same as for [system hooks](system_hooks.md).
 
 That's it! Assuming the file hook code is properly implemented, the hook fires

doc/administration/maintenance_mode/index.md

@@ -14,7 +14,7 @@ Once Maintenance Mode is enabled, in-progress actions finish relatively quickly
 In that state, various maintenance tasks are easier, and services can be stopped completely or be
 further degraded for a much shorter period of time than might otherwise be needed. For example, stopping cron jobs and draining queues should be fairly quick.
 
-Maintenance Mode allows most external actions that do not change internal state. On a high-level, HTTP POST, PUT, PATCH, and DELETE requests are blocked and a detailed overview of [how special cases are handled](#rest-api) is available.
+Maintenance Mode allows most external actions that do not change internal state. On a high-level, HTTP `POST`, `PUT`, `PATCH`, and `DELETE` requests are blocked and a detailed overview of [how special cases are handled](#rest-api) is available.
 
 ## Enable Maintenance Mode
 
@@ -107,22 +107,22 @@ Notification emails continue to arrive, but emails that require database writes,
 
 ### REST API
 
-For most JSON requests, POST, PUT, PATCH, and DELETE are blocked, and the API returns a 403 response with the error message: `You cannot perform write operations on a read-only instance`. Only the following requests are allowed:
+For most JSON requests, `POST`, `PUT`, `PATCH`, and `DELETE` are blocked, and the API returns a 403 response with the error message: `You cannot perform write operations on a read-only instance`. Only the following requests are allowed:
 
 |HTTP request | Allowed routes |  Notes |
 |:----:|:--------------------------------------:|:----:|
-| POST | `/admin/application_settings/general` | To allow updating application settings in the administrator UI |
+| `POST` | `/admin/application_settings/general` | To allow updating application settings in the administrator UI |
-| PUT  | `/api/v4/application/settings` | To allow updating application settings with the API |
+| `PUT`  | `/api/v4/application/settings` | To allow updating application settings with the API |
-| POST | `/users/sign_in` | To allow users to log in. |
+| `POST` | `/users/sign_in` | To allow users to log in. |
-| POST | `/users/sign_out`| To allow users to log out. |
+| `POST` | `/users/sign_out`| To allow users to log out. |
-| POST | `/oauth/token` | To allow users to log in to a Geo secondary for the first time. |
+| `POST` | `/oauth/token` | To allow users to log in to a Geo secondary for the first time. |
-| POST | `/admin/session`, `/admin/session/destroy` | To allow [Admin Mode for GitLab administrators](https://gitlab.com/groups/gitlab-org/-/epics/2158) |
+| `POST` | `/admin/session`, `/admin/session/destroy` | To allow [Admin Mode for GitLab administrators](https://gitlab.com/groups/gitlab-org/-/epics/2158) |
-| POST | Paths ending with `/compare`| Git revision routes. |
+| `POST` | Paths ending with `/compare`| Git revision routes. |
-| POST | `.git/git-upload-pack` | To allow Git pull/clone. |
+| `POST` | `.git/git-upload-pack` | To allow Git pull/clone. |
-| POST | `/api/v4/internal` | [internal API routes](../../development/internal_api/index.md) |
+| `POST` | `/api/v4/internal` | [internal API routes](../../development/internal_api/index.md) |
-| POST | `/admin/sidekiq` | To allow management of background jobs in the Admin Area |
+| `POST` | `/admin/sidekiq` | To allow management of background jobs in the Admin Area |
-| POST | `/admin/geo` | To allow updating Geo Nodes in the administrator UI |
+| `POST` | `/admin/geo` | To allow updating Geo Nodes in the administrator UI |
-| POST | `/api/v4/geo_replication`| To allow certain Geo-specific administrator UI actions on secondary sites |
+| `POST` | `/api/v4/geo_replication`| To allow certain Geo-specific administrator UI actions on secondary sites |
 
 ### GraphQL API
 

doc/administration/package_information/index.md

@@ -15,10 +15,10 @@ at [bundling dependencies document](omnibus_packages.md).
 The released package versions are in the format `MAJOR.MINOR.PATCH-EDITION.OMNIBUS_RELEASE`
 
 | Component           | Meaning | Example |
-|-------------------|---------|---------|
+|---------------------|---------|---------|
-| MAJOR.MINOR.PATCH | The GitLab version this corresponds to. | 13.3.0 |
+| `MAJOR.MINOR.PATCH` | The GitLab version this corresponds to. | 13.3.0 |
-| EDITION           | The edition of GitLab this corresponds to. | ee |
+| `EDITION`           | The edition of GitLab this corresponds to. | ee |
-| OMNIBUS_RELEASE   | The Omnibus GitLab release. Usually, this is 0. This is incremented if we need to build a new package without changing the GitLab version. | 0 |
+| `OMNIBUS_RELEASE`   | The Omnibus GitLab release. Usually, this is 0. This is incremented if we need to build a new package without changing the GitLab version. | 0 |
 
 ## Licenses
 

doc/administration/raketasks/github_import.md

@@ -12,7 +12,7 @@ which becomes the owner of the project. You can resume an import
 with the same command.
 
 Bear in mind that the syntax is very specific. Remove any spaces within the argument block and
-before/after the brackets. Also, some shells (for example, `zsh`) can interpret the open/close brackets
+before/after the brackets. Also, some shells (for example, Zsh) can interpret the open/close brackets
 (`[]`) separately. You may need to either escape the brackets or use double quotes.
 
 ## Caveats

doc/api/graphql/reference/index.md

@@ -9281,6 +9281,7 @@ four standard [pagination arguments](#connection-pagination-arguments):
 | <a id="boardepicancestorsstartdate"></a>`startDate` **{warning-solid}** | [`Time`](#time) | **Deprecated** in 13.5. Use timeframe.start. |
 | <a id="boardepicancestorsstate"></a>`state` | [`EpicState`](#epicstate) | Filter epics by state. |
 | <a id="boardepicancestorstimeframe"></a>`timeframe` | [`Timeframe`](#timeframe) | List items overlapping the given timeframe. |
+| <a id="boardepicancestorstoplevelhierarchyonly"></a>`topLevelHierarchyOnly` | [`Boolean`](#boolean) | Filter epics with a top-level hierarchy. |
 | <a id="boardepicancestorsupdatedafter"></a>`updatedAfter` | [`Time`](#time) | Epics updated after this date. |
 | <a id="boardepicancestorsupdatedbefore"></a>`updatedBefore` | [`Time`](#time) | Epics updated before this date. |
 
@@ -9318,6 +9319,7 @@ four standard [pagination arguments](#connection-pagination-arguments):
 | <a id="boardepicchildrenstartdate"></a>`startDate` **{warning-solid}** | [`Time`](#time) | **Deprecated** in 13.5. Use timeframe.start. |
 | <a id="boardepicchildrenstate"></a>`state` | [`EpicState`](#epicstate) | Filter epics by state. |
 | <a id="boardepicchildrentimeframe"></a>`timeframe` | [`Timeframe`](#timeframe) | List items overlapping the given timeframe. |
+| <a id="boardepicchildrentoplevelhierarchyonly"></a>`topLevelHierarchyOnly` | [`Boolean`](#boolean) | Filter epics with a top-level hierarchy. |
 | <a id="boardepicchildrenupdatedafter"></a>`updatedAfter` | [`Time`](#time) | Epics updated after this date. |
 | <a id="boardepicchildrenupdatedbefore"></a>`updatedBefore` | [`Time`](#time) | Epics updated before this date. |
 
@@ -10858,6 +10860,7 @@ four standard [pagination arguments](#connection-pagination-arguments):
 | <a id="epicancestorsstartdate"></a>`startDate` **{warning-solid}** | [`Time`](#time) | **Deprecated** in 13.5. Use timeframe.start. |
 | <a id="epicancestorsstate"></a>`state` | [`EpicState`](#epicstate) | Filter epics by state. |
 | <a id="epicancestorstimeframe"></a>`timeframe` | [`Timeframe`](#timeframe) | List items overlapping the given timeframe. |
+| <a id="epicancestorstoplevelhierarchyonly"></a>`topLevelHierarchyOnly` | [`Boolean`](#boolean) | Filter epics with a top-level hierarchy. |
 | <a id="epicancestorsupdatedafter"></a>`updatedAfter` | [`Time`](#time) | Epics updated after this date. |
 | <a id="epicancestorsupdatedbefore"></a>`updatedBefore` | [`Time`](#time) | Epics updated before this date. |
 
@@ -10895,6 +10898,7 @@ four standard [pagination arguments](#connection-pagination-arguments):
 | <a id="epicchildrenstartdate"></a>`startDate` **{warning-solid}** | [`Time`](#time) | **Deprecated** in 13.5. Use timeframe.start. |
 | <a id="epicchildrenstate"></a>`state` | [`EpicState`](#epicstate) | Filter epics by state. |
 | <a id="epicchildrentimeframe"></a>`timeframe` | [`Timeframe`](#timeframe) | List items overlapping the given timeframe. |
+| <a id="epicchildrentoplevelhierarchyonly"></a>`topLevelHierarchyOnly` | [`Boolean`](#boolean) | Filter epics with a top-level hierarchy. |
 | <a id="epicchildrenupdatedafter"></a>`updatedAfter` | [`Time`](#time) | Epics updated after this date. |
 | <a id="epicchildrenupdatedbefore"></a>`updatedBefore` | [`Time`](#time) | Epics updated before this date. |
 
@@ -11629,6 +11633,7 @@ Returns [`Epic`](#epic).
 | <a id="groupepicstartdate"></a>`startDate` **{warning-solid}** | [`Time`](#time) | **Deprecated** in 13.5. Use timeframe.start. |
 | <a id="groupepicstate"></a>`state` | [`EpicState`](#epicstate) | Filter epics by state. |
 | <a id="groupepictimeframe"></a>`timeframe` | [`Timeframe`](#timeframe) | List items overlapping the given timeframe. |
+| <a id="groupepictoplevelhierarchyonly"></a>`topLevelHierarchyOnly` | [`Boolean`](#boolean) | Filter epics with a top-level hierarchy. |
 | <a id="groupepicupdatedafter"></a>`updatedAfter` | [`Time`](#time) | Epics updated after this date. |
 | <a id="groupepicupdatedbefore"></a>`updatedBefore` | [`Time`](#time) | Epics updated before this date. |
 
@@ -11678,6 +11683,7 @@ four standard [pagination arguments](#connection-pagination-arguments):
 | <a id="groupepicsstartdate"></a>`startDate` **{warning-solid}** | [`Time`](#time) | **Deprecated** in 13.5. Use timeframe.start. |
 | <a id="groupepicsstate"></a>`state` | [`EpicState`](#epicstate) | Filter epics by state. |
 | <a id="groupepicstimeframe"></a>`timeframe` | [`Timeframe`](#timeframe) | List items overlapping the given timeframe. |
+| <a id="groupepicstoplevelhierarchyonly"></a>`topLevelHierarchyOnly` | [`Boolean`](#boolean) | Filter epics with a top-level hierarchy. |
 | <a id="groupepicsupdatedafter"></a>`updatedAfter` | [`Time`](#time) | Epics updated after this date. |
 | <a id="groupepicsupdatedbefore"></a>`updatedBefore` | [`Time`](#time) | Epics updated before this date. |
 

doc/ci/jobs/index.md

@@ -328,7 +328,7 @@ job1:
     - echo -e "\e[0Ksection_end:`date +%s`:my_first_section\r\e[0K"
 ```
 
-Depending on the shell that your runner uses, for example if it is using ZSH, you may need to
+Depending on the shell that your runner uses, for example if it is using Zsh, you may need to
 escape the special characters like so: `\\e` and `\\r`.
 
 In the example above:

doc/development/audit_event_guide/index.md

@@ -14,6 +14,17 @@ new audit events.
 Audit Events are a tool for GitLab owners and administrators to view records of important
 actions performed across the application.
 
+## What should NOT be Audit Events?
+
+While any events could trigger an Audit Event, not all events should. In general, events that are not good candidates for audit events are:
+
+- Not attributable to one specific user.
+- Not of specific interest to an admin or owner persona.
+- Are tracking information for product feature adoption.
+- Are covered in the direction page's discussion on [what is not planned](https://about.gitlab.com/direction/manage/compliance/audit-events/#what-is-not-planned-right-now).
+
+If you have any questions, please reach out to `@gitlab-org/manage/compliance` to see if an Audit Event, or some other approach, may be best for your event.
+
 ## Audit Event Schemas
 
 To instrument an audit event, the following attributes should be provided:

doc/development/code_review.md

@@ -90,7 +90,7 @@ page, with these behaviors:
 1. People whose [GitLab status](../user/profile/index.md#set-your-current-status) emoji
    is 🔶 `:large_orange_diamond:` or 🔸 `:small_orange_diamond:` are half as likely to be picked.
 1. It always picks the same reviewers and maintainers for the same
-   branch name (unless their out-of-office (OOO) status changes, as in point 1). It
+   branch name (unless their out-of-office (`OOO`) status changes, as in point 1). It
    removes leading `ce-` and `ee-`, and trailing `-ce` and `-ee`, so
    that it can be stable for backport branches.
 

doc/development/database/avoiding_downtime_in_migrations.md

@@ -175,7 +175,7 @@ copying over indexes and foreign keys.
 
 If a column contains one or more indexes that don't contain the name of the
 original column, the previously described procedure will fail. In that case,
-you'll first need to rename these indexes.
+you need to rename these indexes.
 
 ### Step 2: Add A Post-Deployment Migration
 

doc/development/go_guide/index.md

@@ -406,9 +406,8 @@ variable).
 
 Since daemons are long-running applications, they should have mechanisms to
 manage cancellations, and avoid unnecessary resources consumption (which could
-lead to DDOS vulnerabilities). [Go
+lead to DDoS vulnerabilities). [Go Context](https://github.com/golang/go/wiki/CodeReviewComments#contexts)
-Context](https://github.com/golang/go/wiki/CodeReviewComments#contexts) should
+should be used in functions that can block and passed as the first parameter.
-be used in functions that can block and passed as the first parameter.
 
 ## Dockerfiles
 

doc/development/internal_api/index.md

@@ -763,7 +763,7 @@ Example response:
 
 ### Moving additional packs
 
-Use a PATCH to move additional packs from one namespace to another.
+Use a `PATCH` to move additional packs from one namespace to another.
 
 ```plaintext
 PATCH /namespaces/:id/minutes/move/:target_id

doc/gitlab-basics/start-using-git.md

@@ -34,7 +34,7 @@ prompt, command shell, and command line). Here are some options:
 
 - For macOS users:
   - Built-in [Terminal](https://blog.teamtreehouse.com/introduction-to-the-mac-os-x-command-line). Press <kbd>⌘ command</kbd> + <kbd>space</kbd> and type `terminal`.
-  - [iTerm2](https://iterm2.com/). You can integrate it with [zsh](https://git-scm.com/book/id/v2/Appendix-A%3A-Git-in-Other-Environments-Git-in-Zsh) and [oh my zsh](https://ohmyz.sh/) for color highlighting and other advanced features.
+  - [iTerm2](https://iterm2.com/). You can integrate it with [Zsh](https://git-scm.com/book/id/v2/Appendix-A%3A-Git-in-Other-Environments-Git-in-Zsh) and [Oh My Zsh](https://ohmyz.sh/) for color highlighting and other advanced features.
 - For Windows users:
   - Built-in command line. On the Windows taskbar, select the search icon and type `cmd`.
   - [PowerShell](https://docs.microsoft.com/en-us/powershell/scripting/windows-powershell/install/installing-windows-powershell?view=powershell-7).

doc/install/azure/index.md

@@ -15,7 +15,7 @@ Enterprise Edition in a single Virtual Machine (VM).
 
 ## Prerequisite
 
-You'll need an account on Azure. Use of the following methods to obtain an account:
+You need an account on Azure. Use of the following methods to obtain an account:
 
 - If you or your company already have an account with a subscription, use that account.
   If not, you can [open your own Azure account for free](https://azure.microsoft.com/en-us/free/).

doc/integration/kerberos.md

@@ -386,7 +386,7 @@ above error message.
 
 To fix this, ensure that the forward and reverse DNS for your GitLab server
 match. So for instance, if you access GitLab as `gitlab.example.com`, resolving
-to IP address `1.2.3.4`, then `4.3.2.1.in-addr.arpa` must be a PTR record for
+to IP address `1.2.3.4`, then `4.3.2.1.in-addr.arpa` must be a `PTR` record for
 `gitlab.example.com`.
 
 Finally, it's possible that the browser or client machine lack Kerberos support

doc/integration/mattermost/index.md

@@ -240,7 +240,7 @@ cd /opt/gitlab/embedded/service/mattermost
 sudo /opt/gitlab/embedded/bin/chpst -e /opt/gitlab/etc/mattermost/env -P -U mattermost:mattermost -u mattermost:mattermost /opt/gitlab/embedded/bin/mattermost --config=/var/opt/gitlab/mattermost/config.json version
 ```
 
-Until [#4745](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/4745) has been implemented, the command requires quite of bit typing and is hard to remember, so let's make a bash/zsh alias to make it a bit easier to remember. Add the following to your `~/.bashrc` or `~/.zshrc` file:
+Until [#4745](https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/4745) has been implemented, the command requires quite of bit typing and is hard to remember, so let's make a bash or Zsh alias to make it a bit easier to remember. Add the following to your `~/.bashrc` or `~/.zshrc` file:
 
 ```shell
 alias mattermost-cli="cd /opt/gitlab/embedded/service/mattermost && sudo /opt/gitlab/embedded/bin/chpst -e /opt/gitlab/etc/mattermost/env -P -U mattermost:mattermost -u mattermost:mattermost /opt/gitlab/embedded/bin/mattermost --config=/var/opt/gitlab/mattermost/config.json $1"

doc/topics/git/git_rebase.md

@@ -180,7 +180,7 @@ the operation you want to perform in each commit. To do so, edit
 the commits in your terminal's text editor.
 
 For example, with [Vim](https://www.vim.org/) as the text editor in
-a macOS's `ZSH` shell, you can `squash` or `fixup` (combine) all three commits:
+a macOS's Zsh shell, you can `squash` or `fixup` (combine) all three commits:
 
 <!-- vale gitlab.FirstPerson = NO -->
 

doc/topics/git/partial_clone.md

@@ -160,7 +160,7 @@ For more details, see the Git documentation for
    ```
 
    WARNING:
-   Git integrations with `bash`, `zsh`, etc and editors that automatically
+   Git integrations with `bash`, Zsh, etc and editors that automatically
    show Git status information often run `git fetch` which fetches the
    entire repository. Disabling or reconfiguring these integrations might be required.
 

doc/user/asciidoc.md

@@ -381,9 +381,9 @@ comment - content which is not included in the output document
 It's possible to have color written in `HEX`, `RGB`, or `HSL` format rendered with a color indicator.
 Supported formats (named colors are not supported):
 
-- HEX: `` `#RGB[A]` `` or `` `#RRGGBB[AA]` ``
+- `HEX`: `` `#RGB[A]` `` or `` `#RRGGBB[AA]` ``
-- RGB: `` `RGB[A](R, G, B[, A])` ``
+- `RGB`: `` `RGB[A](R, G, B[, A])` ``
-- HSL: `` `HSL[A](H, S, L[, A])` ``
+- `HSL`: `` `HSL[A](H, S, L[, A])` ``
 
 Color written inside backticks is followed by a color "chip":
 

qa/qa/page/merge_request/show.rb

@@ -19,6 +19,10 @@ module QA
           element :review_bar_content
         end
 
+        view 'app/assets/javascripts/batch_comments/components/draft_note.vue' do
+          element :draft_note_content
+        end
+
         view 'app/assets/javascripts/diffs/components/compare_dropdown_layout.vue' do
           element :dropdown_content
         end
@@ -150,6 +154,8 @@ module QA
           has_element?(:submit_review_button)
           within_element(:review_bar_content) do
             click_element(:review_preview_dropdown)
+          end
+          within_element(:draft_note_content) do
             click_element(:submit_review_button)
           end
           # After clicking the button, wait for it to disappear

qa/qa/specs/features/api/1_manage/user_inherited_access_spec.rb

@@ -0,0 +1,176 @@
+# frozen_string_literal: true
+
+module QA
+  RSpec.describe 'Manage' do
+    describe 'User', :requires_admin do
+      let(:admin_api_client) { Runtime::API::Client.as_admin }
+
+      let!(:sub_group) do
+        QA::Resource::Group.fabricate_via_api! do |group|
+          group.path = "sub-group-to-test-user-access-#{SecureRandom.hex(8)}"
+        end
+      end
+
+      context 'when added to parent group' do
+        let!(:parent_group_user) do
+          Resource::User.fabricate_via_api! do |user|
+            user.api_client = admin_api_client
+          end
+        end
+
+        let!(:parent_group_user_api_client) do
+          Runtime::API::Client.new(:gitlab, user: parent_group_user)
+        end
+
+        let!(:sub_group_project) do
+          Resource::Project.fabricate_via_api! do |project|
+            project.group = sub_group
+            project.name = "sub-group-project-to-test-user-access"
+            project.initialize_with_readme = true
+          end
+        end
+
+        before do
+          sub_group.sandbox.add_member(parent_group_user)
+        end
+
+        it(
+          'is allowed to push code to sub-group project via the CLI',
+          testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/363345'
+        ) do
+          expect do
+            Resource::Repository::Push.fabricate! do |push|
+              push.repository_http_uri = sub_group_project.repository_http_location.uri
+              push.file_name = 'test.txt'
+              push.file_content = "# This is a test project named #{sub_group_project.name}"
+              push.commit_message = 'Add test.txt'
+              push.branch_name = "new_branch_#{SecureRandom.hex(8)}"
+              push.user = parent_group_user
+            end
+          end.not_to raise_error
+        end
+
+        it(
+          'is allowed to create a file in sub-group project via the API',
+          testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/363348'
+        ) do
+          expect do
+            Resource::File.fabricate_via_api! do |file|
+              file.api_client = parent_group_user_api_client
+              file.project = sub_group_project
+              file.branch = "new_branch_#{SecureRandom.hex(8)}"
+              file.commit_message = 'Add new file'
+              file.name = 'test.txt'
+              file.content = "New file"
+            end
+          end.not_to raise_error
+        end
+
+        it(
+          'is allowed to commit to sub-group project via the API',
+          testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/363349'
+        ) do
+          expect do
+            Resource::Repository::Commit.fabricate_via_api! do |commit|
+              commit.api_client = parent_group_user_api_client
+              commit.project = sub_group_project
+              commit.branch = "new_branch_#{SecureRandom.hex(8)}"
+              commit.start_branch = sub_group_project.default_branch
+              commit.commit_message = 'Add new file'
+              commit.add_files([
+                { file_path: 'test.txt', content: 'new file' }
+              ])
+            end
+          end.not_to raise_error
+        end
+
+        after do
+          parent_group_user.remove_via_api!
+          sub_group_project.remove_via_api!
+          sub_group.remove_via_api!
+        end
+      end
+
+      context 'when added to sub-group' do
+        let!(:parent_group_project) do
+          Resource::Project.fabricate_via_api! do |project|
+            project.group = sub_group.sandbox
+            project.name = "sub-group-project-to-test-user-access"
+            project.initialize_with_readme = true
+          end
+        end
+
+        let!(:sub_group_user) do
+          Resource::User.fabricate_via_api! do |user|
+            user.api_client = admin_api_client
+          end
+        end
+
+        let!(:sub_group_user_api_client) do
+          Runtime::API::Client.new(:gitlab, user: sub_group_user)
+        end
+
+        before do
+          sub_group.add_member(sub_group_user)
+        end
+
+        it(
+          'is not allowed to push code to parent group project via the CLI',
+          testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/363344'
+        ) do
+          expect do
+            Resource::Repository::Push.fabricate! do |push|
+              push.repository_http_uri = parent_group_project.repository_http_location.uri
+              push.file_name = 'test.txt'
+              push.file_content = "# This is a test project named #{parent_group_project.name}"
+              push.commit_message = 'Add test.txt'
+              push.branch_name = "new_branch_#{SecureRandom.hex(8)}"
+              push.user = sub_group_user
+            end
+          end.to raise_error(QA::Support::Run::CommandError, /You are not allowed to push code to this project/)
+        end
+
+        it(
+          'is not allowed to create a file in parent group project via the API',
+          testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/363343'
+        ) do
+          expect do
+            Resource::File.fabricate_via_api! do |file|
+              file.api_client = sub_group_user_api_client
+              file.project = parent_group_project
+              file.branch = "new_branch_#{SecureRandom.hex(8)}"
+              file.commit_message = 'Add new file'
+              file.name = 'test.txt'
+              file.content = "New file"
+            end
+          end.to raise_error(Resource::ApiFabricator::ResourceFabricationFailedError, /403 Forbidden/)
+        end
+
+        it(
+          'is not allowed to commit to parent group project via the API',
+          testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/363342'
+        ) do
+          expect do
+            Resource::Repository::Commit.fabricate_via_api! do |commit|
+              commit.api_client = sub_group_user_api_client
+              commit.project = parent_group_project
+              commit.branch = "new_branch_#{SecureRandom.hex(8)}"
+              commit.start_branch = parent_group_project.default_branch
+              commit.commit_message = 'Add new file'
+              commit.add_files([
+                { file_path: 'test.txt', content: 'new file' }
+              ])
+            end
+          end.to raise_error(Resource::ApiFabricator::ResourceFabricationFailedError,
+            /403 Forbidden - You are not allowed to push into this branch/)
+        end
+
+        after do
+          sub_group_user.remove_via_api!
+          parent_group_project.remove_via_api!
+          sub_group.remove_via_api!
+        end
+      end
+    end
+  end
+end

qa/qa/specs/features/browser_ui/1_manage/user/user_inherited_access_spec.rb

@@ -0,0 +1,109 @@
+# frozen_string_literal: true
+
+module QA
+  RSpec.describe 'Manage' do
+    describe 'User', :requires_admin do
+      let(:admin_api_client) { Runtime::API::Client.as_admin }
+
+      let!(:sub_group) do
+        QA::Resource::Group.fabricate_via_api! do |group|
+          group.path = "sub-group-to-test-user-access-#{SecureRandom.hex(8)}"
+        end
+      end
+
+      context 'when added to parent group' do
+        let!(:parent_group_user) do
+          Resource::User.fabricate_via_api! do |user|
+            user.api_client = admin_api_client
+          end
+        end
+
+        let!(:parent_group_user_api_client) do
+          Runtime::API::Client.new(:gitlab, user: parent_group_user)
+        end
+
+        let!(:sub_group_project) do
+          Resource::Project.fabricate_via_api! do |project|
+            project.group = sub_group
+            project.name = "sub-group-project-to-test-user-access"
+            project.initialize_with_readme = true
+          end
+        end
+
+        before do
+          sub_group.sandbox.add_member(parent_group_user)
+        end
+
+        it(
+          'is allowed to edit the sub-group project files',
+          testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/363467'
+        ) do
+          Flow::Login.sign_in(as: parent_group_user)
+          sub_group_project.visit!
+
+          Page::Project::Show.perform do |project|
+            project.click_file('README.md')
+          end
+
+          Page::File::Show.perform(&:click_edit)
+
+          Page::File::Form.perform do |file_form|
+            expect(file_form).to have_element(:commit_button)
+          end
+        end
+
+        after do
+          parent_group_user.remove_via_api!
+          sub_group_project.remove_via_api!
+          sub_group.remove_via_api!
+        end
+      end
+
+      context 'when added to sub-group' do
+        let!(:parent_group_project) do
+          Resource::Project.fabricate_via_api! do |project|
+            project.group = sub_group.sandbox
+            project.name = "sub-group-project-to-test-user-access"
+            project.initialize_with_readme = true
+          end
+        end
+
+        let!(:sub_group_user) do
+          Resource::User.fabricate_via_api! do |user|
+            user.api_client = admin_api_client
+          end
+        end
+
+        let!(:sub_group_user_api_client) do
+          Runtime::API::Client.new(:gitlab, user: sub_group_user)
+        end
+
+        before do
+          sub_group.add_member(sub_group_user)
+        end
+
+        it(
+          'is not allowed to edit the parent group project files',
+          testcase: 'https://gitlab.com/gitlab-org/gitlab/-/quality/test_cases/363466'
+        ) do
+          Flow::Login.sign_in(as: sub_group_user)
+          parent_group_project.visit!
+
+          Page::Project::Show.perform do |project|
+            project.click_file('README.md')
+          end
+
+          Page::File::Show.perform(&:click_edit)
+
+          expect(page).to have_text("You can’t edit files directly in this project.")
+        end
+
+        after do
+          sub_group_user.remove_via_api!
+          parent_group_project.remove_via_api!
+          sub_group.remove_via_api!
+        end
+      end
+    end
+  end
+end