Disable adding, updating and removing members from a group that is synced with LDAP

db00bd00 · Douwe Maan · 73a87802 · db00bd00 · db00bd00 · db00bd00
Commit db00bd00 authored Jul 28, 2015 by Douwe Maan
Showing with 12 additions and 5 deletions

CHANGELOG-EE CHANGELOG-EE +4 -1

app/models/ability.rb app/models/ability.rb +5 -1

app/views/groups/group_members/index.html.haml app/views/groups/group_members/index.html.haml +3 -3

No files found.
--- a/CHANGELOG-EE
+++ b/CHANGELOG-EE
+v 7.14
+  - Disable adding, updating and removing members from a group that is synced with LDAP
 v 7.13.2
  - Fix group web hook
@@ -180,4 +183,4 @@ v 6.2.0
  - Use omniauth-ldap nickname attribute as GitLab username
  - Improve group sharing UI for installation with many groups
  - Fix empty LDAP group raises exception
  - Respect LDAP user filter for git access
\ No newline at end of file
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -250,6 +250,10 @@ class Ability
          :admin_group,
          :admin_namespace
        ])
+        unless group.ldap_synced?
+          rules << :admin_group_member
+        end
      end
      rules.flatten
@@ -310,7 +314,7 @@ class Ability
      rules = []
      target_user = subject.user
      group = subject.group
-      can_manage = group_abilities(user, group).include?(:admin_group)
+      can_manage = group_abilities(user, group).include?(:admin_group_member)
      if can_manage && (user != target_user)
        rules << :update_group_member

--- a/app/views/groups/group_members/index.html.haml
+++ b/app/views/groups/group_members/index.html.haml
@@ -19,7 +19,7 @@
  - if current_user && current_user.can?(:admin_group, @group)
    .pull-right
-      - if ldap_enabled? && @group.ldap_group_links.any?
+      - if ldap_enabled? && @group.ldap_synced?
        = link_to reset_access_group_ldap_path(@group), class: 'btn btn-grouped', data: { confirm: "Force GitLab to do LDAP permission checks for all group members? All members besides yourself will be reduced to 'Guest' access until their next interaction with GitLab." }, method: :put do
          Clear LDAP permission cache
@@ -30,9 +30,9 @@
    .js-toggle-content.hide.new-group-member-holder
      = render "new_group_member"
- if ldap_enabled? && @group.ldap_group_links.any?
+- if ldap_enabled? && @group.ldap_synced?
  .bs-callout.bs-callout-info
-    The members of this group are sync with LDAP.
+    The members of this group are managed using LDAP and cannot be added, changed or removed here.
    Because LDAP permissions in GitLab get updated one user at a time and because GitLab caches LDAP check results, changes on your LDAP server or in this group's LDAP sync settings may take up to #{Gitlab.config.ldap['sync_time']}s to show in the list below.
    %ul
      - @group.ldap_group_links.each do |ldap_group_link|