Merge branch 'ldap-sync-group-members' into 'master'

Disable adding, updating and removing members from a group that is synced with LDAP. Addresses #290. See merge request !465

Merge branch 'ldap-sync-group-members' into 'master'
Disable adding, updating and removing members from a group that is synced with LDAP. Addresses #290. See merge request !465
1f9487f7 · Robert Speicher · a9d61ee0 · d6222d22 · 1f9487f7 · 1f9487f7
Commit 1f9487f7 authored Aug 09, 2015 by Robert Speicher
4 changed files
--- a/CHANGELOG-EE
+++ b/CHANGELOG-EE
 v 7.14
+  - Disable adding, updating and removing members from a group that is synced with LDAP
  - Don't send "Added to group" notifications when group is LDAP synched
  - Automatic approver suggestions (based on an authority of the code)  


--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -252,6 +252,10 @@ class Ability
          :admin_namespace,
          :admin_group_member
        ])
+
+        unless group.ldap_synced?
+          rules << :admin_group_member
+        end
      end

      rules.flatten

--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -124,7 +124,7 @@ class Group < Namespace
  end

  def ldap_synced?
-    ldap_cn.present?
+    Gitlab.config.ldap.enabled && ldap_cn.present?
  end

  def post_create_hook

--- a/app/views/groups/group_members/index.html.haml
+++ b/app/views/groups/group_members/index.html.haml
@@ -19,7 +19,7 @@

  - if current_user && current_user.can?(:admin_group_member, @group)
    .pull-right
-      - if ldap_enabled? && @group.ldap_group_links.any?
+      - if @group.ldap_synced?
        = link_to reset_access_group_ldap_path(@group), class: 'btn btn-grouped', data: { confirm: "Force GitLab to do LDAP permission checks for all group members? All members besides yourself will be reduced to 'Guest' access until their next interaction with GitLab." }, method: :put do
          Clear LDAP permission cache

@@ -30,9 +30,9 @@
    .js-toggle-content.hide.new-group-member-holder
      = render "new_group_member"

- if ldap_enabled? && @group.ldap_group_links.any?
+- if @group.ldap_synced?
  .bs-callout.bs-callout-info
-    The members of this group are sync with LDAP.
+    The members of this group are managed using LDAP and cannot be added, changed or removed here.
    Because LDAP permissions in GitLab get updated one user at a time and because GitLab caches LDAP check results, changes on your LDAP server or in this group's LDAP sync settings may take up to #{Gitlab.config.ldap['sync_time']}s to show in the list below.
    %ul
      - @group.ldap_group_links.each do |ldap_group_link|