Merge branch 'admin-group-member' into 'master'

Add specific ability for managing group members

To be used for https://dev.gitlab.org/gitlab/gitlab-ee/issues/290 (Internal issue)

See merge request !1059

6 files changed, 33 insertions, 20 deletions

diff --git a/app/controllers/groups/application_controller.rb b/app/controllers/groups/application_controller.rb
index 4df9d1b7533..6878d4bc07e 100644
--- a/app/controllers/groups/application_controller.rb
+++ b/app/controllers/groups/application_controller.rb
@@ -18,4 +18,10 @@ class Groups::ApplicationController < ApplicationController
       return render_404
     end
   end
+  
+  def authorize_admin_group_member!
+    unless can?(current_user, :admin_group_member, group)
+      return render_403
+    end
+  end
 end
diff --git a/app/controllers/groups/group_members_controller.rb b/app/controllers/groups/group_members_controller.rb
index 040255f08e6..91518c44a98 100644
--- a/app/controllers/groups/group_members_controller.rb
+++ b/app/controllers/groups/group_members_controller.rb
@@ -5,6 +5,7 @@ class Groups::GroupMembersController < Groups::ApplicationController
   # Authorize
   before_action :authorize_read_group!
   before_action :authorize_admin_group!, except: [:index, :leave]
+  before_action :authorize_admin_group_member!, only: [:create, :resend_invite]
 
   def index
     @project = @group.projects.find(params[:project_id]) if params[:project_id]
@@ -28,6 +29,9 @@ class Groups::GroupMembersController < Groups::ApplicationController
 
   def update
     @member = @group.group_members.find(params[:id])
+
+    return render_403 unless can?(current_user, :update_group_member, @member)
+
     @member.update_attributes(member_params)
   end
 
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 6a8f683bc89..f8e5afa9b01 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -233,7 +233,8 @@ class Ability
       if group.has_owner?(user) || user.admin?
         rules.push(*[
           :admin_group,
-          :admin_namespace
+          :admin_namespace,
+          :admin_group_member
         ])
       end
 
@@ -295,7 +296,7 @@ class Ability
       rules = []
       target_user = subject.user
       group = subject.group
-      can_manage = group_abilities(user, group).include?(:admin_group)
+      can_manage = group_abilities(user, group).include?(:admin_group_member)
 
       if can_manage && (user != target_user)
         rules << :update_group_member
diff --git a/app/views/admin/groups/show.html.haml b/app/views/admin/groups/show.html.haml
index 187314872de..296497a4cd4 100644
--- a/app/views/admin/groups/show.html.haml
+++ b/app/views/admin/groups/show.html.haml
@@ -51,21 +51,22 @@
         = paginate @projects, param_name: 'projects_page', theme: 'gitlab'
 
   .col-md-6
-    .panel.panel-default
-      .panel-heading
-        Add user(s) to the group:
-      .panel-body.form-holder
-        %p.light
-          Read more about project permissions
-          %strong= link_to "here", help_page_path("permissions", "permissions"), class: "vlink"
+    - if can?(current_user, :admin_group_member, @group)
+      .panel.panel-default
+        .panel-heading
+          Add user(s) to the group:
+        .panel-body.form-holder
+          %p.light
+            Read more about project permissions
+            %strong= link_to "here", help_page_path("permissions", "permissions"), class: "vlink"
 
-        = form_tag members_update_admin_group_path(@group), id: "new_project_member", class: "bulk_import", method: :put  do
-          %div
-            = users_select_tag(:user_ids, multiple: true, email_user: true, scope: :all)
-          %div.prepend-top-10
-            = select_tag :access_level, options_for_select(GroupMember.access_level_roles), class: "project-access-select select2"
-          %hr
-          = button_tag 'Add users to group', class: "btn btn-create"
+          = form_tag members_update_admin_group_path(@group), id: "new_project_member", class: "bulk_import", method: :put  do
+            %div
+              = users_select_tag(:user_ids, multiple: true, email_user: true, scope: :all)
+            %div.prepend-top-10
+              = select_tag :access_level, options_for_select(GroupMember.access_level_roles), class: "project-access-select select2"
+            %hr
+            = button_tag 'Add users to group', class: "btn btn-create"
     .panel.panel-default
       .panel-heading
         %h3.panel-title
@@ -86,7 +87,8 @@
                 (invited)
             %span.pull-right.light
               = member.human_access
-              = link_to group_group_member_path(@group, member), data: { confirm: remove_user_from_group_message(@group, member) }, method: :delete, remote: true, class: "btn-xs btn btn-remove", title: 'Remove user from group' do
-                %i.fa.fa-minus.fa-inverse
+              - if can?(current_user, :destroy_group_member, member)
+                = link_to group_group_member_path(@group, member), data: { confirm: remove_user_from_group_message(@group, member) }, method: :delete, remote: true, class: "btn-xs btn btn-remove", title: 'Remove user from group' do
+                  %i.fa.fa-minus.fa-inverse
       .panel-footer
         = paginate @members, param_name: 'members_page', theme: 'gitlab'
diff --git a/app/views/groups/group_members/_group_member.html.haml b/app/views/groups/group_members/_group_member.html.haml
index b460e0ff59e..acc7f8b28c2 100644
--- a/app/views/groups/group_members/_group_member.html.haml
+++ b/app/views/groups/group_members/_group_member.html.haml
@@ -24,7 +24,7 @@
           = link_to member.created_by.name, user_path(member.created_by)
         = time_ago_with_tooltip(member.created_at)
 
-      - if show_controls && can?(current_user, :admin_group, @group)
+      - if show_controls && can?(current_user, :admin_group_member, member)
         = link_to resend_invite_group_group_member_path(@group, member), method: :post, class: "btn-xs btn", title: 'Resend invite' do
           Resend invite
 
diff --git a/app/views/groups/group_members/index.html.haml b/app/views/groups/group_members/index.html.haml
index a70d1ff0697..dba395cc8fa 100644
--- a/app/views/groups/group_members/index.html.haml
+++ b/app/views/groups/group_members/index.html.haml
@@ -17,7 +17,7 @@
       = search_field_tag :search, params[:search], { placeholder: 'Find existing member by name', class: 'form-control search-text-input' }
     = button_tag 'Search', class: 'btn'
 
-  - if current_user && current_user.can?(:admin_group, @group)
+  - if current_user && current_user.can?(:admin_group_member, @group)
     .pull-right
       = button_tag class: 'btn btn-new js-toggle-button', type: 'button' do
         Add members