Commit c555cde9 authored by Douglas Barbosa Alexandre's avatar Douglas Barbosa Alexandre

Merge branch...

Merge branch '12420-prevent-projects-from-being-shared-outside-a-gma-group-member-fork' into 'master'

Resolve "Prevent projects from being shared outside a GMA group" - adding member to forked project

Closes #12420

See merge request gitlab-org/gitlab!26186
parents 091143fe 9f3cc3b8
---
title: Prevent projects from being shared outside a group with managed accounts for forked projects
merge_request: 26186
author:
type: changed
...@@ -9,15 +9,27 @@ module Gitlab ...@@ -9,15 +9,27 @@ module Gitlab
end end
def can_add_user?(user) def can_add_user?(user)
return true unless root_group&.enforced_group_managed_accounts? check_project_membership(user) && check_source_project_membership(user)
root_group == user.managing_group
end end
private private
def root_group attr_reader :project
@root_group ||= @project.root_ancestor
def check_project_membership(user)
check_group_managed_account(project.root_ancestor, user)
end
def check_source_project_membership(user)
return true unless project.forked?
check_group_managed_account(project.forked_from_project.root_ancestor, user)
end
def check_group_managed_account(root_ancestor, user)
return true unless root_ancestor.is_a?(Group) && root_ancestor.enforced_group_managed_accounts?
root_ancestor == user.managing_group
end end
end end
end end
......
...@@ -3,8 +3,12 @@ ...@@ -3,8 +3,12 @@
require 'spec_helper' require 'spec_helper'
describe Gitlab::Auth::GroupSaml::GmaMembershipEnforcer do describe Gitlab::Auth::GroupSaml::GmaMembershipEnforcer do
include ProjectForksHelper
let_it_be(:group) { create(:group_with_managed_accounts, :private) } let_it_be(:group) { create(:group_with_managed_accounts, :private) }
let_it_be(:project) { create(:project, namespace: group)} let_it_be(:project) { create(:project, namespace: group)}
let_it_be(:managed_user) { create(:user, :group_managed, managing_group: group) }
let_it_be(:managed_user_for_project) { create(:user, :group_managed, managing_group: group) }
subject { described_class.new(project) } subject { described_class.new(project) }
...@@ -14,8 +18,6 @@ describe Gitlab::Auth::GroupSaml::GmaMembershipEnforcer do ...@@ -14,8 +18,6 @@ describe Gitlab::Auth::GroupSaml::GmaMembershipEnforcer do
context 'when user is group-managed' do context 'when user is group-managed' do
it 'allows adding user to project' do it 'allows adding user to project' do
managed_user = create(:user, :group_managed, managing_group: group)
expect(subject.can_add_user?(managed_user)).to be_truthy expect(subject.can_add_user?(managed_user)).to be_truthy
end end
end end
...@@ -27,4 +29,48 @@ describe Gitlab::Auth::GroupSaml::GmaMembershipEnforcer do ...@@ -27,4 +29,48 @@ describe Gitlab::Auth::GroupSaml::GmaMembershipEnforcer do
expect(subject.can_add_user?(user)).to be_falsey expect(subject.can_add_user?(user)).to be_falsey
end end
end end
context 'when the project is forked' do
subject { described_class.new(fork_project(project, managed_user_for_project)) }
before do
project.add_developer(managed_user_for_project)
end
context 'when user is group-managed' do
it 'allows adding user to project' do
expect(subject.can_add_user?(managed_user)).to be_truthy
end
end
context 'when user is not group-managed' do
it 'does not allow adding user to project' do
expect(subject.can_add_user?(create(:user))).to be_falsey
end
end
end
context 'when project is forked from namespace to group' do
let(:project) { create(:project) }
let(:forked_project) { create(:project, namespace: group) }
subject { described_class.new(forked_project) }
before do
project.add_developer(managed_user_for_project)
fork_project(project, managed_user_for_project, namespace: group, target_project: forked_project)
end
context 'when user is group-managed' do
it 'allows adding user to project' do
expect(subject.can_add_user?(managed_user)).to be_truthy
end
end
context 'when user is not group-managed' do
it 'does not allow adding user to project' do
expect(subject.can_add_user?(create(:user))).to be_falsey
end
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment