From 09da80c48c262c15d2294c5a5f03d4c52805c1d6 Mon Sep 17 00:00:00 2001
From: Lukas Wanko <lwanko@gitlab.com>
Date: Tue, 21 Oct 2025 16:05:01 +0200
Subject: [PATCH] Allow Minimal Access group access for LDAP group links API

Changelog: changed
EE: true
---
 ee/lib/api/ldap_group_links.rb                |  2 +-
 ee/spec/requests/api/ldap_group_links_spec.rb | 32 +++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/ee/lib/api/ldap_group_links.rb b/ee/lib/api/ldap_group_links.rb
index b1a77cf5c33de6..7c8285065166c4 100644
--- a/ee/lib/api/ldap_group_links.rb
+++ b/ee/lib/api/ldap_group_links.rb
@@ -45,7 +45,7 @@ class LdapGroupLinks < ::API::Base
       params do
         optional 'cn', type: String, desc: 'The CN of a LDAP group'
         optional 'filter', type: String, desc: 'The LDAP filter for the group'
-        requires 'group_access', type: Integer, values: Gitlab::Access.all_values,
+        requires 'group_access', type: Integer, values: Gitlab::Access.values_with_minimal_access,
           desc: 'Access level for members of the LDAP group'
         requires 'provider', type: String, desc: 'LDAP provider for the LDAP group link'
         optional 'member_role_id', type: Integer, desc: 'The ID of the Member Role for members of the LDAP group'
diff --git a/ee/spec/requests/api/ldap_group_links_spec.rb b/ee/spec/requests/api/ldap_group_links_spec.rb
index 9660228ea56578..098b09f208f95e 100644
--- a/ee/spec/requests/api/ldap_group_links_spec.rb
+++ b/ee/spec/requests/api/ldap_group_links_spec.rb
@@ -252,6 +252,38 @@
         end
       end
     end
+
+    it 'allows creating Minimal Access group access LDAP group links' do
+      expect do
+        post(
+          api("/groups/#{group_with_ldap_links.id}/ldap_group_links", owner),
+          params: {
+            cn: 'ldap-group',
+            group_access: ::Gitlab::Access::MINIMAL_ACCESS,
+            provider: 'ldap2'
+          }
+        )
+      end.to change { group_with_ldap_links.ldap_group_links.count }.by(1)
+
+      expect(response).to have_gitlab_http_status(:created)
+      expect(json_response['group_access']).to eq(::Gitlab::Access::MINIMAL_ACCESS)
+    end
+
+    it 'denies creating random group access LDAP group links' do
+      expect do
+        post(
+          api("/groups/#{group_with_ldap_links.id}/ldap_group_links", owner),
+          params: {
+            cn: 'ldap-group',
+            group_access: 111,
+            provider: 'ldap2'
+          }
+        )
+      end.not_to change { group_with_ldap_links.ldap_group_links.count }
+
+      expect(response).to have_gitlab_http_status(:bad_request)
+      expect(json_response['error']).to eq('group_access does not have a valid value')
+    end
   end
 
   describe 'DELETE /groups/:id/ldap_group_links/:cn' do
-- 
GitLab