Add new unassigned access role

Add comment to mark one line as proof of concept Change validation call Filter limited access users for project members finder In some finders, we want to limit users to active ones. Add specs for creating project authorizations As we create authorizations in different places, we need to add specs in different places to cover all the cases. Change scope definition Fix the spec naming Big rename to unassigned Change all limited_access naming to unassigned Fix rubocop error Fix naming Filter out unassigned from groupmembers finder Modify spec to reflect changes made in group members finder Add new option to member associations in UI And stop displaying unassigned members on group page Fix project presenter problem

Add new unassigned access role
Add comment to mark one line as proof of concept Change validation call Filter limited access users for project members finder In some finders, we want to limit users to active ones. Add specs for creating project authorizations As we create authorizations in different places, we need to add specs in different places to cover all the cases. Change scope definition Fix the spec naming Big rename to unassigned Change all limited_access naming to unassigned Fix rubocop error Fix naming Filter out unassigned from groupmembers finder Modify spec to reflect changes made in group members finder Add new option to member associations in UI And stop displaying unassigned members on group page Fix project presenter problem
c1714845 · Małgorzata Ksionek · Jan Provaznik · 975df9c4 · c1714845 · c1714845
Commit c1714845 authored Jun 18, 2020 by Małgorzata Ksionek Committed by Jan Provaznik Sep 10, 2020
24 changed files
--- a/app/finders/group_members_finder.rb
+++ b/app/finders/group_members_finder.rb
@@ -19,7 +19,7 @@ class GroupMembersFinder < UnionFinder
  # rubocop: disable CodeReuse/ActiveRecord
  def execute(include_relations: [:inherited, :direct])
-    group_members = group.members
+    group_members = group.members.non_unassigned
    relations = []
    return group_members if include_relations == [:direct]
@@ -27,7 +27,7 @@ class GroupMembersFinder < UnionFinder
    relations << group_members if include_relations.include?(:direct)
    if include_relations.include?(:inherited) && group.parent
-      parents_members = GroupMember.non_request
+      parents_members = GroupMember.non_request.non_unassigned
        .where(source_id: group.ancestors.select(:id))
        .where.not(user_id: group.users.select(:id))
@@ -35,7 +35,7 @@ class GroupMembersFinder < UnionFinder
    end
    if include_relations.include?(:descendants)
-      descendant_members = GroupMember.non_request
+      descendant_members = GroupMember.non_request.non_unassigned
        .where(source_id: group.descendants.select(:id))
        .where.not(user_id: group.users.select(:id))

--- a/app/finders/members_finder.rb
+++ b/app/finders/members_finder.rb
@@ -63,7 +63,7 @@ class MembersFinder
  def direct_group_members(include_descendants)
    requested_relations = [:inherited, :direct]
    requested_relations << :descendants if include_descendants
-    GroupMembersFinder.new(group).execute(include_relations: requested_relations).non_invite # rubocop: disable CodeReuse/Finder
+    GroupMembersFinder.new(group).execute(include_relations: requested_relations).non_invite.non_unassigned # rubocop: disable CodeReuse/Finder
  end
  def project_invited_groups_members
@@ -73,7 +73,7 @@ class MembersFinder
      .public_or_visible_to_user(current_user)
      .select(:id)
-    GroupMember.with_source_id(invited_groups_ids_including_ancestors)
+    GroupMember.with_source_id(invited_groups_ids_including_ancestors).non_unassigned
  end
  def distinct_union_of_members(union_members)

--- a/app/helpers/groups/group_members_helper.rb
+++ b/app/helpers/groups/group_members_helper.rb
@@ -6,7 +6,11 @@ module Groups::GroupMembersHelper
  end
  def render_invite_member_for_group(group, default_access_level)
-    render 'shared/members/invite_member', submit_url: group_group_members_path(group), access_levels: GroupMember.access_level_roles, default_access_level: default_access_level
+    render 'shared/members/invite_member', submit_url: group_group_members_path(group), access_levels: access_level_roles(group), default_access_level: default_access_level
+  end
+  def access_level_roles(group)
+    GroupMember.access_level_roles
  end
 end

--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -268,7 +268,7 @@ class Group < Namespace
    add_user(user, :owner, current_user: current_user)
  end
-  def member?(user, min_access_level = Gitlab::Access::GUEST)
+  def member?(user, min_access_level = Gitlab::Access::UNASSIGNED)
    return false unless user
    max_member_access_for_user(user) >= min_access_level
@@ -326,7 +326,7 @@ class Group < Namespace
  # rubocop: enable CodeReuse/ServiceClass
  def user_ids_for_project_authorizations
-    members_with_parents.pluck(:user_id)
+    members_with_parents.where.not(access_level: Gitlab::Access::UNASSIGNED).pluck(:user_id)
  end
  def self_and_ancestors_ids
@@ -352,7 +352,7 @@ class Group < Namespace
  end
  def members_from_self_and_ancestors_with_effective_access_level
-    members_with_parents.select([:user_id, 'MAX(access_level) AS access_level'])
+    members_with_parents.non_unassigned.select([:user_id, 'MAX(access_level) AS access_level'])
                        .group(:user_id)
  end

--- a/app/models/member.rb
+++ b/app/models/member.rb
@@ -25,7 +25,6 @@ class Member < ApplicationRecord
  validates :user_id, uniqueness: { scope: [:source_type, :source_id],
                                    message: "already exists in source",
                                    allow_nil: true }
-  validates :access_level, inclusion: { in: Gitlab::Access.all_values }, presence: true
  validate :higher_access_level_than_group, unless: :importing?
  validates :invite_email,
    presence: {
@@ -85,6 +84,7 @@ class Member < ApplicationRecord
  scope :developers, -> { active.where(access_level: DEVELOPER) }
  scope :maintainers, -> { active.where(access_level: MAINTAINER) }
  scope :non_guests, -> { where('members.access_level > ?', GUEST) }
+  scope :non_unassigned, -> { where('members.access_level > ?', UNASSIGNED) }
  scope :owners, -> { active.where(access_level: OWNER) }
  scope :owners_and_maintainers, -> { active.where(access_level: [OWNER, MAINTAINER]) }
  scope :with_user, -> (user) { where(user: user) }

--- a/app/models/members/group_member.rb
+++ b/app/models/members/group_member.rb
@@ -13,6 +13,8 @@ class GroupMember < Member
  # Make sure group member points only to group as it source
  default_value_for :source_type, SOURCE_TYPE
  validates :source_type, format: { with: /\ANamespace\z/ }
+  validates :access_level, inclusion: { in: Gitlab::Access.values_with_limited }, presence: true
  default_scope { where(source_type: SOURCE_TYPE) } # rubocop:disable Cop/DefaultScope
  scope :of_groups, ->(groups) { where(source_id: groups.select(:id)) }

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -120,7 +120,7 @@ class User < ApplicationRecord
  # Groups
  has_many :members
-  has_many :group_members, -> { where(requested_at: nil) }, source: 'GroupMember'
+  has_many :group_members, -> { where(requested_at: nil).where("access_level >= ?", Gitlab::Access::GUEST) }, source: 'GroupMember'
  has_many :groups, through: :group_members
  has_many :owned_groups, -> { where(members: { access_level: Gitlab::Access::OWNER }) }, through: :group_members, source: :group
  has_many :maintainers_groups, -> { where(members: { access_level: Gitlab::Access::MAINTAINER }) }, through: :group_members, source: :group
@@ -134,6 +134,8 @@ class User < ApplicationRecord
           -> { where(members: { access_level: [Gitlab::Access::REPORTER, Gitlab::Access::DEVELOPER, Gitlab::Access::MAINTAINER, Gitlab::Access::OWNER] }) },
           through: :group_members,
           source: :group
+  has_many :unassigned_group_members, -> { where(access_level: [Gitlab::Access::UNASSIGNED]) }, source: 'GroupMember', class_name: 'GroupMember'
+  has_many :unassigned_groups, through: :unassigned_group_members, source: :group
  # Projects
  has_many :groups_projects,          through: :groups, source: :projects
@@ -890,6 +892,7 @@ class User < ApplicationRecord
    Group.unscoped do
      Group.from_union([
        groups,
+        unassigned_groups,
        authorized_projects.joins(:namespace).select('namespaces.*')
      ])
    end

--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -12,6 +12,7 @@ class GroupPolicy < BasePolicy
  condition(:has_access) { access_level != GroupMember::NO_ACCESS }
+  condition(:unassigned) { access_level >= GroupMember::UNASSIGNED }
  condition(:guest) { access_level >= GroupMember::GUEST }
  condition(:developer) { access_level >= GroupMember::DEVELOPER }
  condition(:owner) { access_level >= GroupMember::OWNER }

--- a/ee/app/helpers/ee/groups/group_members_helper.rb
+++ b/ee/app/helpers/ee/groups/group_members_helper.rb
@@ -7,4 +7,12 @@ module EE::Groups::GroupMembersHelper
  def group_member_select_options
    super.merge(skip_ldap: @group.ldap_synced?)
  end
+  override :access_level_roles
+  def access_level_roles(group)
+    levels = GroupMember.access_level_roles
+    return levels if group.unassigned_role_allowed?
+    levels.except("Unassigned")
+  end
 end
--- a/ee/app/models/ee/group.rb
+++ b/ee/app/models/ee/group.rb
@@ -401,6 +401,10 @@ module EE
      root_ancestor.saml_provider&.prohibited_outer_forks?
    end
+    def unassigned_role_allowed?
+      feature_available?(:unassigned_role) && !has_parent?
+    end
    private
    def custom_project_templates_group_allowed

--- a/ee/app/models/ee/group_member.rb
+++ b/ee/app/models/ee/group_member.rb
@@ -26,9 +26,16 @@ module EE
    end
    class_methods do
+      extend ::Gitlab::Utils::Override
      def member_of_group?(group, user)
        exists?(group: group, user: user)
      end
+      override :access_level_roles
+      def access_level_roles
+        ::Gitlab::Access.options_with_unassigned
+      end
    end
    def group_has_domain_limitations?

--- a/ee/app/models/license.rb
+++ b/ee/app/models/license.rb
@@ -108,6 +108,7 @@ class License < ApplicationRecord
    smartcard_auth
    group_timelogs
    type_of_work_analytics
+    unassigned_role
    unprotection_restrictions
    ci_project_subscriptions
  ]

--- a/ee/app/presenters/ee/member_presenter.rb
+++ b/ee/app/presenters/ee/member_presenter.rb
@@ -13,10 +13,21 @@ module EE
      can?(current_user, override_member_permission, member)
    end
+    override :valid_level_roles
+    def valid_level_roles
+      return super if member.source.is_a?(Project) || source_allows_unassigned_role?(member)
+      super.except("Unassigned")
+    end
    private
    def override_member_permission
      raise NotImplementedError
    end
+    def source_allows_unassigned_role?(member)
+      member.source.unassigned_role_allowed?
+    end
  end
 end
--- a/ee/lib/ee/gitlab/access.rb
+++ b/ee/lib/ee/gitlab/access.rb
@@ -15,6 +15,12 @@ module EE
        def vulnerability_access_levels
          @vulnerability_access_levels ||= options_with_owner.except('Guest')
        end
+        def options_with_unassigned
+          options_with_owner.merge(
+            "Unassigned" => ::Gitlab::Access::UNASSIGNED
+          )
+        end
      end
    end
  end

--- a/lib/gitlab/access.rb
+++ b/lib/gitlab/access.rb
@@ -9,12 +9,13 @@ module Gitlab
  module Access
    AccessDeniedError = Class.new(StandardError)
-    NO_ACCESS  = 0
+    NO_ACCESS      = 0
-    GUEST      = 10
+    UNASSIGNED     = 5
-    REPORTER   = 20
+    GUEST          = 10
-    DEVELOPER  = 30
+    REPORTER       = 20
-    MAINTAINER = 40
+    DEVELOPER      = 30
-    OWNER      = 50
+    MAINTAINER     = 40
+    OWNER          = 50
    # Branch protection settings
    PROTECTION_NONE          = 0
@@ -38,12 +39,16 @@ module Gitlab
        options_with_owner.values
      end
+      def values_with_limited
+        options_with_unassigned.values
+      end
      def options
        {
-          "Guest"      => GUEST,
+          "Guest"          => GUEST,
-          "Reporter"   => REPORTER,
+          "Reporter"       => REPORTER,
-          "Developer"  => DEVELOPER,
+          "Developer"      => DEVELOPER,
-          "Maintainer" => MAINTAINER
+          "Maintainer"     => MAINTAINER
        }
      end
@@ -86,7 +91,7 @@ module Gitlab
      end
      def human_access(access)
-        options_with_owner.key(access)
+        options_with_unassigned.key(access)
      end
      def human_access_with_none(access)

--- a/lib/gitlab/project_authorizations.rb
+++ b/lib/gitlab/project_authorizations.rb
@@ -99,6 +99,7 @@ module Gitlab
        .and(members[:source_type].eq('Namespace'))
        .and(members[:requested_at].eq(nil))
        .and(members[:user_id].eq(user.id))
+        .and(members[:access_level].gt(Gitlab::Access::UNASSIGNED))
      Arel::Nodes::OuterJoin.new(members, Arel::Nodes::On.new(cond))
    end
@@ -119,6 +120,7 @@ module Gitlab
                    .and(members[:source_type].eq('Namespace'))
                    .and(members[:requested_at].eq(nil))
                    .and(members[:user_id].eq(user.id))
+                    .and(members[:access_level].gt(Gitlab::Access::UNASSIGNED))
      Arel::Nodes::InnerJoin.new(members, Arel::Nodes::On.new(cond))
    end

--- a/spec/finders/group_members_finder_spec.rb
+++ b/spec/finders/group_members_finder_spec.rb
@@ -16,6 +16,7 @@ RSpec.describe GroupMembersFinder, '#execute' do
    member1 = group.add_maintainer(user1)
    member2 = group.add_maintainer(user2)
    member3 = group.add_maintainer(user3)
+    create(:group_member, access_level: Gitlab::Access::UNASSIGNED, user: create(:user), group: group)
    result = described_class.new(group).execute

--- a/spec/finders/groups_finder_spec.rb
+++ b/spec/finders/groups_finder_spec.rb
@@ -106,6 +106,14 @@ RSpec.describe GroupsFinder do
            parent_group.update_attribute(:visibility_level, Gitlab::VisibilityLevel::PRIVATE)
          end
+          context 'being limited access member of parent group' do
+            it 'returns visible subgroups' do
+              create(:group_member, access_level: Gitlab::Access::UNASSIGNED, user: user, group: parent_group)
+              is_expected.to contain_exactly(parent_group, public_subgroup, internal_subgroup)
+            end
+          end
          context 'being member of parent group' do
            it 'returns all subgroups' do
              parent_group.add_guest(user)

--- a/spec/finders/members_finder_spec.rb
+++ b/spec/finders/members_finder_spec.rb
@@ -45,6 +45,18 @@ RSpec.describe MembersFinder, '#execute' do
    expect(result).to contain_exactly(member1)
  end
+  it 'does not return members of parent group with limited access' do
+    nested_group.request_access(user1)
+    member1 = group.add_maintainer(user2)
+    member2 = nested_group.add_maintainer(user3)
+    member3 = project.add_maintainer(user4)
+    create(:group_member, access_level: Gitlab::Access::UNASSIGNED, user: create(:user), group: group)
+    result = described_class.new(project, user2).execute
+    expect(result).to contain_exactly(member1, member2, member3)
+  end
  it 'includes only non-invite members if user do not have amdin permissions on project' do
    create(:project_member, :invited, project: project, invite_email: create(:user).email)
    member1 = project.add_maintainer(user1)

--- a/spec/lib/gitlab/project_authorizations_spec.rb
+++ b/spec/lib/gitlab/project_authorizations_spec.rb
@@ -115,6 +115,66 @@ RSpec.describe Gitlab::ProjectAuthorizations do
    end
  end
+  context 'user with limited access to group' do
+    let_it_be(:group) { create(:group) }
+    let_it_be(:user) { create(:user) }
+    subject(:mapping) { map_access_levels(authorizations) }
+    context 'group membership' do
+      let!(:group_project) { create(:project, namespace: group) }
+      before do
+        create(:group_member, access_level: Gitlab::Access::UNASSIGNED, user: user, group: group)
+      end
+      it 'does not create authorization' do
+        expect(mapping[group_project.id]).to be_nil
+      end
+    end
+    context 'inherited group membership' do
+      let!(:sub_group) { create(:group, parent: group) }
+      let!(:sub_group_project) { create(:project, namespace: sub_group) }
+      before do
+        create(:group_member, access_level: Gitlab::Access::UNASSIGNED, user: user, group: group)
+      end
+      it 'does not create authorization' do
+        expect(mapping[sub_group_project.id]).to be_nil
+      end
+    end
+    context 'shared group' do
+      let!(:shared_group) { create(:group) }
+      let!(:shared_group_project) { create(:project, namespace: shared_group) }
+      before do
+        create(:group_group_link, shared_group: shared_group, shared_with_group: group)
+        create(:group_member, access_level: Gitlab::Access::UNASSIGNED, user: user, group: group)
+      end
+      it 'does not create authorization' do
+        expect(mapping[shared_group_project.id]).to be_nil
+      end
+    end
+    context 'shared project' do
+      let!(:another_group) { create(:group) }
+      let!(:shared_project) { create(:project, namespace: another_group) }
+      before do
+        create(:project_group_link, group: group, project: shared_project)
+        create(:group_member, access_level: Gitlab::Access::UNASSIGNED, user: user, group: group)
+      end
+      it 'does not create authorization' do
+        expect(mapping[shared_project.id]).to be_nil
+      end
+    end
+  end
  context 'with nested groups' do
    let(:group) { create(:group) }
    let!(:nested_group) { create(:group, parent: group) }

--- a/spec/models/group_spec.rb
+++ b/spec/models/group_spec.rb
@@ -692,6 +692,7 @@ RSpec.describe Group do
    before do
      create(:group_member, user: user, group: group_parent, access_level: parent_group_access_level)
      create(:group_member, user: user, group: group, access_level: group_access_level)
+      create(:group_member, user: create(:user), group: group, access_level: Gitlab::Access::UNASSIGNED)
      create(:group_member, user: user, group: group_child, access_level: child_group_access_level)
    end

--- a/spec/models/member_spec.rb
+++ b/spec/models/member_spec.rb
@@ -16,7 +16,6 @@ RSpec.describe Member do
    it { is_expected.to validate_presence_of(:user) }
    it { is_expected.to validate_presence_of(:source) }
-    it { is_expected.to validate_inclusion_of(:access_level).in_array(Gitlab::Access.all_values) }
    it_behaves_like 'an object with email-formated attributes', :invite_email do
      subject { build(:project_member) }
@@ -150,6 +149,7 @@ RSpec.describe Member do
      accepted_request_user = create(:user).tap { |u| project.request_access(u) }
      @accepted_request_member = project.requesters.find_by(user_id: accepted_request_user.id).tap { |m| m.accept_request }
+      @member_unassigned = create(:group_member, access_level: Gitlab::Access::UNASSIGNED, group: group)
    end
    describe '.access_for_user_ids' do
@@ -180,6 +180,15 @@ RSpec.describe Member do
      it { expect(described_class.non_invite).to include @accepted_request_member }
    end
+    describe '.non_unassigned' do
+      it { expect(described_class.non_unassigned).to include @maintainer }
+      it { expect(described_class.non_unassigned).to include @invited_member }
+      it { expect(described_class.non_unassigned).to include @accepted_invite_member }
+      it { expect(described_class.non_unassigned).to include @requested_member }
+      it { expect(described_class.non_unassigned).to include @accepted_request_member }
+      it { expect(described_class.non_unassigned).not_to include @member_unassigned }
+    end
    describe '.request' do
      it { expect(described_class.request).not_to include @maintainer }
      it { expect(described_class.request).not_to include @invited_member }

--- a/spec/services/authorized_project_update/project_create_service_spec.rb
+++ b/spec/services/authorized_project_update/project_create_service_spec.rb
@@ -81,6 +81,7 @@ RSpec.describe AuthorizedProjectUpdate::ProjectCreateService do
        before do
          create(:group_member, access_level: Gitlab::Access::REPORTER, group: group, user: group_user)
          create(:group_member, access_level: Gitlab::Access::MAINTAINER, group: shared_with_group, user: group_user)
+          create(:group_member, access_level: Gitlab::Access::UNASSIGNED, group: shared_with_group, user: create(:user))
          create(:group_group_link, shared_group: group, shared_with_group: shared_with_group, group_access: Gitlab::Access::DEVELOPER)
@@ -97,6 +98,11 @@ RSpec.describe AuthorizedProjectUpdate::ProjectCreateService do
            access_level: Gitlab::Access::DEVELOPER)
          expect(project_authorization).to exist
        end
+        it 'does not create project authorization for user with limited access' do
+          expect { service.execute }.to(
+            change { ProjectAuthorization.count }.from(0).to(1))
+        end
      end
    end
@@ -118,6 +124,17 @@ RSpec.describe AuthorizedProjectUpdate::ProjectCreateService do
      end
    end
+    context 'member with limited access' do
+      before do
+        create(:group_member, access_level: Gitlab::Access::UNASSIGNED, user: group_user, group: group)
+      end
+      it 'does not create project authorization' do
+        expect { service.execute }.not_to(
+          change { ProjectAuthorization.count }.from(0))
+      end
+    end
    context 'project has more user than BATCH_SIZE' do
      let(:batch_size) { 2 }
      let(:users) { create_list(:user, batch_size + 1 ) }

--- a/spec/services/authorized_project_update/project_group_link_create_service_spec.rb
+++ b/spec/services/authorized_project_update/project_group_link_create_service_spec.rb
@@ -112,6 +112,17 @@ RSpec.describe AuthorizedProjectUpdate::ProjectGroupLinkCreateService do
      end
    end
+    context 'unapproved access requests' do
+      before do
+        create(:group_member, access_level: Gitlab::Access::UNASSIGNED, user: group_user, group: group)
+      end
+      it 'does not create project authorization' do
+        expect { service.execute }.not_to(
+          change { ProjectAuthorization.count }.from(0))
+      end
+    end
    context 'project has more users than BATCH_SIZE' do
      let(:batch_size) { 2 }
      let(:users) { create_list(:user, batch_size + 1 ) }