fix(worker): Fix permission syncing for internal GitLab projects

[brendan-kellam]

Internal GitLab projects were not visible in Sourcebot when permission syncing was enabled. This was because of two reasons:

1. For account driven permission syncing, we were setting the membership filter to true, meaning for a given user, we were not getting internal projects they were not a member of.
2. For repo driven permission syncing, we use /projects/:id/members/all to fetch what users have access to a given project. This breaks down in the same way where if the project has internal visibility, then this api won't return users who are not members but should be able to see the project. I was poking around, and it seems like there is no mechanism of listing everything for internal projects.

This PR removes permission enforcement for internal GitLab projects by setting the isPublic flag to true for internal (& public) projects. Internal projects are visible to everyone in the instance anyways, so enforcement on the Sourcebot side doesn't make much sense.

Summary by CodeRabbit

• Bug Fixes

  • Internal GitLab projects are now visible in Sourcebot when permission syncing is enabled; permission enforcement applies to private projects only.

• Documentation

  • Clarified that internal GitLab projects are visible to all users and not enforced by permission syncing, while private projects remain subject to permission-based visibility.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Permission-syncing and visibility handling for GitLab were changed: the sync now fetches only private projects (no internal), the GitLab API call no longer sets membership: true, and compile-time visibility treats internal as public. A changelog and docs note were added.

Changes

Cohort / File(s)	Summary
Changelog / Docs CHANGELOG.md, docs/docs/features/permission-syncing.mdx	Added "Fixed" note documenting internal GitLab projects visibility; clarified docs that only private projects are enforced by permission syncing.
Permission sync core packages/backend/src/ee/accountPermissionSyncer.ts	Now fetches only private GitLab projects and builds permission sync list from that result (removed combining private+internal IDs).
GitLab API client packages/backend/src/gitlab.ts	Removed membership: true from getProjectsForAuthenticatedUser call; relies on visibility filtering and perPage: 100.
Repo compile visibility packages/backend/src/repoCompileUtils.ts	isPublic logic updated to treat internal visibility as public for compile-time visibility decisions.

Sequence Diagram(s)

sequenceDiagram
  participant Syncer as PermissionSyncer
  participant GitLab as GitLab API
  participant Store as RepoStore
  participant Compiler as RepoCompileUtils

  Syncer->>GitLab: GET projects (visibility=private, perPage=100)
  GitLab-->>Syncer: returns private projects list
  Syncer->>Store: persist/compute project IDs for permission sync
  Store->>Compiler: request visibility evaluation for repos
  Compiler-->>Store: visibility (treat internal as public)
  Store-->>Syncer: finalized permission-enforced repo set

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• fix(worker): Fix permission syncing for internal GitLab projects #857: Modifies the same backend GitLab permission-sync logic (accountPermissionSyncer.ts and related files).
• feat(ee): GitLab permission syncing #585: Earlier adjustments to GitLab permission-sync behavior touching the same files and flows.
• chore(worker): Refactor permission syncing join table to be between Account <> Repo #600: Prior accountPermissionSyncer changes impacting permission-sync behavior.

Suggested reviewers

• msukkari

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main change: fixing permission syncing for internal GitLab projects, which directly matches the PR's core objective to make internal GitLab projects visible when permission syncing is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bkellam/fix-SOU-379

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

[claude]

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@CHANGELOG.md`:
- Around line 10-11: Typo fix: locate the changelog entry line starting with "-
[EE] Fixed issue where internal GitLab projects were not visibile in Sourcebot
when permission syncing is enabled.
[`#857`](https://github.com/sourcebot-dev/sourcebot/pull/857)" and correct the
misspelled word "visibile" to "visible" so the line reads "...projects were not
visible in Sourcebot...".

In `@packages/backend/src/repoCompileUtils.ts`:
- Around line 173-179: The current logic sets const isPublic =
project.visibility === 'public' || project.visibility === 'internal', which
treats GitLab "internal" repos as public and bypasses permission filtering;
change this by making isPublic true only for project.visibility === 'public' and
add a separate isInternal flag (e.g., const isInternal = project.visibility ===
'internal') so downstream permission checks use isPublic to skip filtering but
still apply or explicitly handle permission syncing/filters for isInternal
repos; update any code paths that currently rely on isPublic (permission
syncing/skipping logic) to account for isInternal and restore GitLab-internal
access enforcement or implement syncing for internal repos.