Fix #6417: users with group permission should be able to create groups via API

4 files changed, 14 insertions, 12 deletions

diff --git a/doc/api/groups.md b/doc/api/groups.md
index b5a4b05ccaf..c903a850fdd 100644
--- a/doc/api/groups.md
+++ b/doc/api/groups.md
@@ -35,7 +35,7 @@ Parameters:
 
 ## New group
 
-Creates a new project group. Available only for admin.
+Creates a new project group. Available only for users who can create groups.
 
 ```
 POST /groups
diff --git a/lib/api/groups.rb b/lib/api/groups.rb
index a92abd4b690..218cec40884 100644
--- a/lib/api/groups.rb
+++ b/lib/api/groups.rb
@@ -20,7 +20,7 @@ module API
         present @groups, with: Entities::Group
       end
 
-      # Create group. Available only for admin
+      # Create group. Available only for users who can create groups.
       #
       # Parameters:
       #   name (required) - The name of the group
@@ -28,7 +28,7 @@ module API
       # Example Request:
       #   POST /groups
       post do
-        authenticated_as_admin!
+        authorize! :create_group, current_user
         required_attributes! [:name, :path]
 
         attrs = attributes_for_keys [:name, :path, :description]
diff --git a/spec/factories.rb b/spec/factories.rb
index fc103e5b133..d2b0eeea083 100644
--- a/spec/factories.rb
+++ b/spec/factories.rb
@@ -22,6 +22,7 @@ FactoryGirl.define do
     password "12345678"
     confirmed_at { Time.now }
     confirmation_token { nil }
+    can_create_group true
 
     trait :admin do
       admin true
diff --git a/spec/requests/api/groups_spec.rb b/spec/requests/api/groups_spec.rb
index d963dbac9f1..62b42d63fc2 100644
--- a/spec/requests/api/groups_spec.rb
+++ b/spec/requests/api/groups_spec.rb
@@ -3,8 +3,9 @@ require 'spec_helper'
 describe API::API, api: true  do
   include ApiHelpers
 
-  let(:user1) { create(:user) }
+  let(:user1) { create(:user, can_create_group: false) }
   let(:user2) { create(:user) }
+  let(:user3) { create(:user) }
   let(:admin) { create(:admin) }
   let!(:group1) { create(:group) }
   let!(:group2) { create(:group) }
@@ -94,32 +95,32 @@ describe API::API, api: true  do
   end
 
   describe "POST /groups" do
-    context "when authenticated as user" do
+    context "when authenticated as user without group permissions" do
       it "should not create group" do
         post api("/groups", user1), attributes_for(:group)
         expect(response.status).to eq(403)
       end
     end
 
-    context "when authenticated as admin" do
+    context "when authenticated as user with group permissions" do
       it "should create group" do
-        post api("/groups", admin), attributes_for(:group)
+        post api("/groups", user3), attributes_for(:group)
         expect(response.status).to eq(201)
       end
 
       it "should not create group, duplicate" do
-        post api("/groups", admin), {name: "Duplicate Test", path: group2.path}
+        post api("/groups", user3), {name: 'Duplicate Test', path: group2.path}
         expect(response.status).to eq(400)
         expect(response.message).to eq("Bad Request")
       end
 
       it "should return 400 bad request error if name not given" do
-        post api("/groups", admin), {path: group2.path}
+        post api("/groups", user3), {path: group2.path}
         expect(response.status).to eq(400)
       end
 
       it "should return 400 bad request error if path not given" do
-        post api("/groups", admin), { name: 'test' }
+        post api("/groups", user3), {name: 'test'}
         expect(response.status).to eq(400)
       end
     end
@@ -133,8 +134,8 @@ describe API::API, api: true  do
       end
 
       it "should not remove a group if not an owner" do
-        user3 = create(:user)
-        group1.add_user(user3, Gitlab::Access::MASTER)
+        user4 = create(:user)
+        group1.add_user(user4, Gitlab::Access::MASTER)
         delete api("/groups/#{group1.id}", user3)
         expect(response.status).to eq(403)
       end