Commit 33070084 authored by Douwe Maan's avatar Douwe Maan

Merge branch 'admin-group-member' into 'master'

Add specific ability for managing group members

To be used for https://dev.gitlab.org/gitlab/gitlab-ee/issues/290 (Internal issue)

See merge request !1059
parents 7a048cf4 0736f348
......@@ -18,4 +18,10 @@ class Groups::ApplicationController < ApplicationController
return render_404
end
end
def authorize_admin_group_member!
unless can?(current_user, :admin_group_member, group)
return render_403
end
end
end
......@@ -5,6 +5,7 @@ class Groups::GroupMembersController < Groups::ApplicationController
# Authorize
before_action :authorize_read_group!
before_action :authorize_admin_group!, except: [:index, :leave]
before_action :authorize_admin_group_member!, only: [:create, :resend_invite]
def index
@project = @group.projects.find(params[:project_id]) if params[:project_id]
......@@ -28,6 +29,9 @@ class Groups::GroupMembersController < Groups::ApplicationController
def update
@member = @group.group_members.find(params[:id])
return render_403 unless can?(current_user, :update_group_member, @member)
@member.update_attributes(member_params)
end
......
......@@ -233,7 +233,8 @@ class Ability
if group.has_owner?(user) || user.admin?
rules.push(*[
:admin_group,
:admin_namespace
:admin_namespace,
:admin_group_member
])
end
......@@ -295,7 +296,7 @@ class Ability
rules = []
target_user = subject.user
group = subject.group
can_manage = group_abilities(user, group).include?(:admin_group)
can_manage = group_abilities(user, group).include?(:admin_group_member)
if can_manage && (user != target_user)
rules << :update_group_member
......
......@@ -51,6 +51,7 @@
= paginate @projects, param_name: 'projects_page', theme: 'gitlab'
.col-md-6
- if can?(current_user, :admin_group_member, @group)
.panel.panel-default
.panel-heading
Add user(s) to the group:
......@@ -86,6 +87,7 @@
(invited)
%span.pull-right.light
= member.human_access
- if can?(current_user, :destroy_group_member, member)
= link_to group_group_member_path(@group, member), data: { confirm: remove_user_from_group_message(@group, member) }, method: :delete, remote: true, class: "btn-xs btn btn-remove", title: 'Remove user from group' do
%i.fa.fa-minus.fa-inverse
.panel-footer
......
......@@ -24,7 +24,7 @@
= link_to member.created_by.name, user_path(member.created_by)
= time_ago_with_tooltip(member.created_at)
- if show_controls && can?(current_user, :admin_group, @group)
- if show_controls && can?(current_user, :admin_group_member, member)
= link_to resend_invite_group_group_member_path(@group, member), method: :post, class: "btn-xs btn", title: 'Resend invite' do
Resend invite
......
......@@ -17,7 +17,7 @@
= search_field_tag :search, params[:search], { placeholder: 'Find existing member by name', class: 'form-control search-text-input' }
= button_tag 'Search', class: 'btn'
- if current_user && current_user.can?(:admin_group, @group)
- if current_user && current_user.can?(:admin_group_member, @group)
.pull-right
= button_tag class: 'btn btn-new js-toggle-button', type: 'button' do
Add members
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment