When a user is authorized to a group, they are also authorized to see all the
ancestor groups and descendant groups.

When a user is authorized to a project, they are authorized to see all the
ancestor groups too.

Closes #32135

See merge request !11764

In order to avoid string manipulation or modify route params (to make them unambiguous for `url_for`), we are accepting a behavior change:

When being redirected to the canonical path for a group, if you requested a group show path starting with `/groups/…` then you’ll now be redirected to the group at root `/…`.

Don’t replace a substring of the path if it is part of the top level route.

E.g. When redirecting from `/groups/ups` to `/groups/foo`, be careful not to do `/grofoo/ups`.

Projects are unaffected by this issue, but I am grouping the `#ensure_canonical_path` tests similar to the group and user tests.

This hides/disables some UI elements and API parameters related to
nested groups when MySQL is used, since nested groups are not supported
for MySQL.

Use the EnforcedStyleForMultiline: no_comma option.
Signed-off-by: NRémy Coutable <remy@rymai.me>

Use GroupsFinder to find subgroups the user has access to

See merge request !2096

There is a race condition in DestroyGroupService now that projects are deleted asynchronously:

1. User attempts to delete group
2. DestroyGroupService iterates through all projects and schedules a Sidekiq job to delete each Project
3. DestroyGroupService destroys the Group, leaving all its projects without a namespace
4. Projects::DestroyService runs later but the can?(current_user,
   :remove_project) is `false` because the user no longer has permission to
   destroy projects with no namespace.
5. This leaves the project in pending_delete state with no namespace/group.

Projects without a namespace or group also adds another problem: it's not possible to destroy the container
registry tags, since container_registry_path_with_namespace is the wrong value.

The fix is to destroy the group asynchronously and to run execute directly on Projects::DestroyService.

Closes #17893

The `non_archived` scope applied here
https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/controllers/conc
erns/issues_action.rb#L5 overrides the previous `ORDER BY` applied
inside the IssuesFinder, with the default scope of the Project model,
resulting in SQL errors.

Prevent Groups to have smaller visibility than projects
Add default_group_visibility_level to configuration
Code improvements

The route is supposed to redirect the Groups#index request based on
whether or not a user was logged in. If they are, we redirect them to
their groups dashboard; if they're not, we redirect them to the public
Explore page.

But due to overly aggressive `before_action`s that weren't excluding the
`index` action, the request always resulted in a 404, whether a user was
logged in or not.

Closes #12660