Merge branch 'security-subgroup-member-list-parent-group-member-14-10' into '14-10-stable-ee'

Subgroup member can list members of parent group See merge request gitlab-org/security/gitlab!2480

Merge branch 'security-subgroup-member-list-parent-group-member-14-10' into '14-10-stable-ee'
Subgroup member can list members of parent group See merge request gitlab-org/security/gitlab!2480
7d3860c3 · GitLab Release Tools Bot · 0c542486 · b59c49fa · 7d3860c3 · 7d3860c3
Commit 7d3860c3 authored Jun 01, 2022 by GitLab Release Tools Bot
9 changed files
--- a/app/controllers/groups/application_controller.rb
+++ b/app/controllers/groups/application_controller.rb
@@ -67,6 +67,12 @@ class Groups::ApplicationController < ApplicationController
    end
  end

+  def authorize_read_group_member!
+    unless can?(current_user, :read_group_member, group)
+      render_403
+    end
+  end
+
  def build_canonical_path(group)
    params[:group_id] = group.to_param


--- a/app/controllers/groups/group_members_controller.rb
+++ b/app/controllers/groups/group_members_controller.rb
@@ -14,6 +14,7 @@ class Groups::GroupMembersController < Groups::ApplicationController

  # Authorize
  before_action :authorize_admin_group_member!, except: admin_not_required_endpoints
+  before_action :authorize_read_group_member!, only: :index

  skip_before_action :check_two_factor_requirement, only: :leave
  skip_cross_project_access_check :index, :update, :destroy, :request_access,

--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -22,6 +22,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
  condition(:share_with_group_locked, scope: :subject) { @subject.share_with_group_lock? }
  condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? }
  condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) }
+  condition(:can_read_group_member) { can_read_group_member? }

  desc "User is a project bot"
  condition(:project_bot) { user.project_bot? && access_level >= GroupMember::GUEST }
@@ -127,6 +128,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy

  rule { ~public_group & ~has_access }.prevent :read_counts

+  rule { ~can_read_group_member }.policy do
+    prevent :read_group_member
+  end
+
  rule { ~can?(:read_group) }.policy do
    prevent :read_design_activity
  end
@@ -308,6 +313,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
    true
  end

+  def can_read_group_member?
+    !(@subject.private? && access_level == GroupMember::NO_ACCESS)
+  end
+
  def resource_access_token_creation_allowed?
    resource_access_token_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed?
  end

--- a/doc/user/group/subgroups/index.md
+++ b/doc/user/group/subgroups/index.md
@@ -93,6 +93,9 @@ For more information, view the [permissions table](../../permissions.md#group-me

 ## Subgroup membership

+NOTE:
+There is a bug that causes some pages in the parent group to be accessible by subgroup members. For more details, see [this issue](https://gitlab.com/gitlab-org/gitlab/-/issues/340421).
+
 When you add a member to a group, that member is also added to all subgroups. The user's permissions are inherited from
 the group's parent.


--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -433,6 +433,13 @@ module EE
      super
    end

+    override :can_read_group_member?
+    def can_read_group_member?
+      return true if user&.can_read_all_resources?
+
+      super
+    end
+
    def ldap_lock_bypassable?
      return false unless ::Feature.enabled?(:ldap_settings_unlock_groups_by_owners)
      return false unless ::Gitlab::CurrentSettings.allow_group_owners_to_manage_ldap?

--- a/lib/api/helpers/members_helpers.rb
+++ b/lib/api/helpers/members_helpers.rb
@@ -15,6 +15,10 @@ module API
        public_send("find_#{source_type}!", id) # rubocop:disable GitlabSecurity/PublicSend
      end

+      def authorize_read_source_member!(source_type, source)
+        authorize! :"read_#{source_type}_member", source
+      end
+
      def authorize_admin_source!(source_type, source)
        authorize! :"admin_#{source_type}", source
      end

--- a/lib/api/members.rb
+++ b/lib/api/members.rb
@@ -30,6 +30,8 @@ module API
        get ":id/members" do
          source = find_source(source_type, params[:id])

+          authorize_read_source_member!(source_type, source)
+
          members = paginate(retrieve_members(source, params: params))

          present_members members
@@ -49,6 +51,8 @@ module API
        get ":id/members/all" do
          source = find_source(source_type, params[:id])

+          authorize_read_source_member!(source_type, source)
+
          members = paginate(retrieve_members(source, params: params, deep: true))

          present_members members
@@ -64,6 +68,8 @@ module API
        get ":id/members/:user_id" do
          source = find_source(source_type, params[:id])

+          authorize_read_source_member!(source_type, source)
+
          members = source_members(source)
          member = members.find_by!(user_id: params[:user_id])

@@ -81,6 +87,8 @@ module API
        get ":id/members/all/:user_id" do
          source = find_source(source_type, params[:id])

+          authorize_read_source_member!(source_type, source)
+
          members = find_all_members(source)
          member = members.find_by!(user_id: params[:user_id])


--- a/spec/features/security/group/private_access_spec.rb
+++ b/spec/features/security/group/private_access_spec.rb
@@ -97,7 +97,7 @@ RSpec.describe 'Private Group access' do
    it { is_expected.to be_allowed_for(:developer).of(group) }
    it { is_expected.to be_allowed_for(:reporter).of(group) }
    it { is_expected.to be_allowed_for(:guest).of(group) }
-    it { is_expected.to be_allowed_for(project_guest) }
+    it { is_expected.to be_denied_for(project_guest) }
    it { is_expected.to be_denied_for(:user) }
    it { is_expected.to be_denied_for(:external) }
    it { is_expected.to be_denied_for(:visitor) }

--- a/spec/requests/api/members_spec.rb
+++ b/spec/requests/api/members_spec.rb
@@ -184,6 +184,21 @@ RSpec.describe API::Members do
      expect(json_response).to be_an Array
      expect(json_response.map { |u| u['id'] }).to match_array [maintainer.id, developer.id, nested_user.id]
    end
+
+    context 'with a subgroup' do
+      let(:group) { create(:group, :private)}
+      let(:subgroup) { create(:group, :private, parent: group)}
+      let(:project) { create(:project, group: subgroup) }
+
+      before do
+        subgroup.add_developer(developer)
+      end
+
+      it 'subgroup member cannot get parent group members list' do
+        get api("/groups/#{group.id}/members/all", developer)
+        expect(response).to have_gitlab_http_status(:forbidden)
+      end
+    end
  end

  shared_examples 'GET /:source_type/:id/members/(all/):user_id' do |source_type, all|