Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
6c577346
Commit
6c577346
authored
Sep 01, 2017
by
Michael Kozono
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Enforce share_with_group_lock rules
…in Groups::UpdateService instead of only in the browser.
parent
1cc7f4a4
Changes
4
Show whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
104 additions
and
1 deletion
+104
-1
app/policies/group_policy.rb
app/policies/group_policy.rb
+5
-0
app/services/groups/update_service.rb
app/services/groups/update_service.rb
+17
-1
spec/policies/group_policy_spec.rb
spec/policies/group_policy_spec.rb
+48
-0
spec/services/groups/update_service_spec.rb
spec/services/groups/update_service_spec.rb
+34
-0
No files found.
app/policies/group_policy.rb
View file @
6c577346
...
...
@@ -15,6 +15,9 @@ class GroupPolicy < BasePolicy
condition
(
:nested_groups_supported
,
scope: :global
)
{
Group
.
supports_nested_groups?
}
condition
(
:parent_share_locked
)
{
@subject
.
has_parent?
&&
@subject
.
parent
.
share_with_group_lock?
}
condition
(
:parent_owner
)
{
@subject
.
has_parent?
&&
@subject
.
parent
.
has_owner?
(
@user
)
}
condition
(
:has_projects
)
do
GroupProjectsFinder
.
new
(
group:
@subject
,
current_user:
@user
).
execute
.
any?
end
...
...
@@ -54,6 +57,8 @@ class GroupPolicy < BasePolicy
rule
{
~
can?
(
:view_globally
)
}.
prevent
:request_access
rule
{
has_access
}.
prevent
:request_access
rule
{
owner
&
(
~
parent_share_locked
|
parent_owner
)
}.
enable
:change_share_with_group_lock
def
access_level
return
GroupMember
::
NO_ACCESS
if
@user
.
nil?
...
...
app/services/groups/update_service.rb
View file @
6c577346
...
...
@@ -10,10 +10,12 @@ module Groups
Gitlab
::
VisibilityLevel
.
allowed_for?
(
current_user
,
new_visibility
)
deny_visibility_level
(
group
,
new_visibility
)
return
group
return
false
end
end
return
false
unless
valid_share_with_group_lock_change?
group
.
assign_attributes
(
params
)
begin
...
...
@@ -30,5 +32,19 @@ module Groups
def
reject_parent_id!
params
.
except!
(
:parent_id
)
end
def
valid_share_with_group_lock_change?
return
true
unless
changing_share_with_group_lock?
return
true
if
can?
(
current_user
,
:change_share_with_group_lock
,
group
)
group
.
errors
.
add
(
:share_with_group_lock
,
'cannot be disabled when the parent group Share lock is enabled, except by the owner of the parent group'
)
false
end
def
changing_share_with_group_lock?
return
false
if
params
[
:share_with_group_lock
].
nil?
params
[
:share_with_group_lock
]
!=
group
.
share_with_group_lock
end
end
end
spec/policies/group_policy_spec.rb
View file @
6c577346
...
...
@@ -242,4 +242,52 @@ describe GroupPolicy do
end
end
end
describe
'change_share_with_group_lock'
do
context
'when the group has a parent'
do
let
(
:group
)
{
create
(
:group
,
parent:
parent
)
}
context
'when the parent share_with_group_lock is enabled'
do
let
(
:parent
)
{
create
(
:group
,
share_with_group_lock:
true
)
}
let
(
:current_user
)
{
owner
}
context
'when current_user owns the parent'
do
before
do
parent
.
add_owner
(
owner
)
end
it
{
expect_allowed
(
:change_share_with_group_lock
)
}
end
context
'when current_user owns the group but not the parent'
do
it
{
expect_disallowed
(
:change_share_with_group_lock
)
}
end
end
context
'when the parent share_with_group_lock is disabled'
do
let
(
:parent
)
{
create
(
:group
)
}
let
(
:current_user
)
{
owner
}
context
'when current_user owns the parent'
do
before
do
parent
.
add_owner
(
owner
)
end
it
{
expect_allowed
(
:change_share_with_group_lock
)
}
end
context
'when current_user owns the group but not the parent'
do
it
{
expect_allowed
(
:change_share_with_group_lock
)
}
end
end
end
context
'when the group does not have a parent'
do
context
'when current_user owns the group'
do
let
(
:current_user
)
{
owner
}
it
{
expect_allowed
(
:change_share_with_group_lock
)
}
end
end
end
end
spec/services/groups/update_service_spec.rb
View file @
6c577346
...
...
@@ -100,4 +100,38 @@ describe Groups::UpdateService do
end
end
end
context
'for a subgroup'
do
let
(
:subgroup
)
{
create
(
:group
,
:private
,
parent:
private_group
)
}
context
'when the parent group share_with_group_lock is enabled'
do
before
do
private_group
.
update_column
(
:share_with_group_lock
,
true
)
end
context
'for the parent group owner'
do
it
'allows disabling share_with_group_lock'
do
private_group
.
add_owner
(
user
)
result
=
described_class
.
new
(
subgroup
,
user
,
share_with_group_lock:
false
).
execute
expect
(
result
).
to
be_truthy
expect
(
subgroup
.
reload
.
share_with_group_lock
).
to
be_falsey
end
end
context
'for a subgroup owner (who does not own the parent)'
do
it
'does not allow disabling share_with_group_lock'
do
subgroup_owner
=
create
(
:user
)
subgroup
.
add_owner
(
subgroup_owner
)
result
=
described_class
.
new
(
subgroup
,
subgroup_owner
,
share_with_group_lock:
false
).
execute
expect
(
result
).
to
be_falsey
expect
(
subgroup
.
errors
.
full_messages
.
first
).
to
match
(
/cannot be disabled when the parent group Share lock is enabled, except by the owner of the parent group/
)
expect
(
subgroup
.
reload
.
share_with_group_lock
).
to
be_truthy
end
end
end
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment