Commit 90ca01af authored by Alex Kalderimis's avatar Alex Kalderimis

Fix overly aggressive prevent call

All we need to prevent when the user is the last owner is that they
cannot remove themselves, and leave the group un-owned. The existing
call is too aggressive and prevents any action, even legitimate ones
like `:read_group`.

This change fixes that by naming the abilities we are trying to prevent.

This work was done as part of
https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40088, where
this caused a bug. Since it is isolated it can be pulled out.
parent 8b281570
...@@ -11,7 +11,10 @@ class GroupMemberPolicy < BasePolicy ...@@ -11,7 +11,10 @@ class GroupMemberPolicy < BasePolicy
condition(:is_target_user) { @user && @subject.user_id == @user.id } condition(:is_target_user) { @user && @subject.user_id == @user.id }
rule { anonymous }.prevent_all rule { anonymous }.prevent_all
rule { last_owner }.prevent_all rule { last_owner }.policy do
prevent :update_group_member
prevent :destroy_group_member
end
rule { can?(:admin_group_member) }.policy do rule { can?(:admin_group_member) }.policy do
enable :update_group_member enable :update_group_member
......
---
title: Fix overly aggressive prevent call
merge_request: 47455
author:
type: fixed
...@@ -42,6 +42,7 @@ RSpec.describe GroupMemberPolicy do ...@@ -42,6 +42,7 @@ RSpec.describe GroupMemberPolicy do
it do it do
expect_disallowed(:destroy_group_member) expect_disallowed(:destroy_group_member)
expect_disallowed(:update_group_member) expect_disallowed(:update_group_member)
expect_allowed(:read_group)
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment