- Source: GL_InstanceRole, GL_GroupRole
- Destination: GL_Instance, GL_Group
The non-traversable GL_CanCreateProject edge has two forms:
GL_InstanceRole → GL_Instance — The instance-level Member role is allowed to create projects anywhere they have a namespace (personal or group). This is the default for active members and is controlled by the instance-level project creation settings.
GL_GroupRole → GL_Group — The role grants permission to create projects within this group. Developer role and above typically have this permission.
Although non-traversable, this edge is relevant for Renovate invite-and-takeover attack paths: a user who can create a project can host a Renovate configuration that lures the self-hosted Renovate bot.
graph LR
member("fa:fa-user-tie GL_InstanceRole Member")
instance("fa:fa-building GL_Instance")
devRole("fa:fa-user-tie GL_GroupRole myorg/Developer")
group("fa:fa-user-group GL_Group myorg")
member -.->|GL_CanCreateProject| instance
devRole -.->|GL_CanCreateProject| group