Commit 19b80e82 authored by Rémy Coutable's avatar Rémy Coutable

Add a migration to remove requesters that are owners of their project

Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
parent 9ea80a19
...@@ -171,14 +171,9 @@ class Ability ...@@ -171,14 +171,9 @@ class Ability
# Allow to read builds for internal projects # Allow to read builds for internal projects
rules << :read_build if project.public_builds? rules << :read_build if project.public_builds?
group_member = unless owner || project.team.member?(user) || project_group_member?(project, user)
project.group && rules << :request_access
( end
project.group.members.exists?(user_id: user.id) ||
project.group.requesters.exists?(user_id: user.id)
)
rules << :request_access unless owner || group_member || project.team.member?(user)
end end
if project.archived? if project.archived?
...@@ -501,8 +496,7 @@ class Ability ...@@ -501,8 +496,7 @@ class Ability
target_user = subject.user target_user = subject.user
project = subject.project project = subject.project
# Allow owners that requested access to their own project to destroy themselves unless target_user == project.owner
if target_user != project.owner || subject.request?
can_manage = project_abilities(user, project).include?(:admin_project_member) can_manage = project_abilities(user, project).include?(:admin_project_member)
if can_manage if can_manage
...@@ -582,5 +576,13 @@ class Ability ...@@ -582,5 +576,13 @@ class Ability
rules rules
end end
def project_group_member?(project, user)
project.group &&
(
project.group.members.exists?(user_id: user.id) ||
project.group.requesters.exists?(user_id: user.id)
)
end
end end
end end
class RemoveRequestersThatAreOwners < ActiveRecord::Migration
include Gitlab::Database::MigrationHelpers
def up
# Delete requesters that are owner of their projects and actually requested
# access to it
execute <<-SQL
DELETE FROM members
WHERE members.source_type = 'Project'
AND members.type = 'ProjectMember'
AND members.requested_at IS NOT NULL
AND members.user_id = (
SELECT namespaces.owner_id
FROM namespaces
JOIN projects ON namespaces.id = projects.namespace_id
WHERE namespaces.type IS NULL
AND projects.id = members.source_id
AND namespaces.owner_id = members.user_id);
SQL
# Delete requesters that are owner of their project's group and actually requested
# access to it
execute <<-SQL
DELETE FROM members
WHERE members.source_type = 'Project'
AND members.type = 'ProjectMember'
AND members.requested_at IS NOT NULL
AND members.user_id = (
SELECT namespaces.owner_id
FROM namespaces
JOIN projects ON namespaces.id = projects.namespace_id
WHERE namespaces.type = 'Group'
AND projects.id = members.source_id
AND namespaces.owner_id = members.user_id);
SQL
end
def down
end
end
...@@ -11,7 +11,7 @@ ...@@ -11,7 +11,7 @@
# #
# It's strongly recommended that you check this file into your version control system. # It's strongly recommended that you check this file into your version control system.
ActiveRecord::Schema.define(version: 20160703180340) do ActiveRecord::Schema.define(version: 20160705163108) do
# These are extensions that must be enabled in order to support this database # These are extensions that must be enabled in order to support this database
enable_extension "plpgsql" enable_extension "plpgsql"
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment