diff options
author | Douwe Maan <douwe@gitlab.com> | 2017-12-11 15:51:07 +0000 |
---|---|---|
committer | Douwe Maan <douwe@gitlab.com> | 2017-12-11 15:51:07 +0000 |
commit | 0cc6eb8b0968b7f3a4101f786a4e980cad10f189 (patch) | |
tree | e384fd6fbca066d2d7ca94b105115a6268b38da7 | |
parent | a2d1648076cf55b09562f7ef081fd9e479398ab6 (diff) | |
parent | 429302b34c5d66bd79f49284964cfc21db794ba7 (diff) | |
download | gitlab-ce-0cc6eb8b0968b7f3a4101f786a4e980cad10f189.tar.gz |
Merge branch '40743-bug-accepting-new-group-members-when-permission-level-developer' into 'master'
Bugfix: User can't change the access level of an access requester
Closes #40743
See merge request gitlab-org/gitlab-ce!15832
5 files changed, 46 insertions, 2 deletions
diff --git a/app/controllers/groups/group_members_controller.rb b/app/controllers/groups/group_members_controller.rb index 8fc234a62b1..5919bf54468 100644 --- a/app/controllers/groups/group_members_controller.rb +++ b/app/controllers/groups/group_members_controller.rb @@ -22,7 +22,7 @@ class Groups::GroupMembersController < Groups::ApplicationController end def update - @group_member = @group.group_members.find(params[:id]) + @group_member = @group.members_and_requesters.find(params[:id]) return render_403 unless can?(current_user, :update_group_member, @group_member) diff --git a/app/controllers/projects/project_members_controller.rb b/app/controllers/projects/project_members_controller.rb index d925dcd21ff..5a01a59481b 100644 --- a/app/controllers/projects/project_members_controller.rb +++ b/app/controllers/projects/project_members_controller.rb @@ -26,7 +26,7 @@ class Projects::ProjectMembersController < Projects::ApplicationController end def update - @project_member = @project.project_members.find(params[:id]) + @project_member = @project.members_and_requesters.find(params[:id]) return render_403 unless can?(current_user, :update_project_member, @project_member) diff --git a/changelogs/unreleased/15832-fix-access-level-update-for-requesters.yml b/changelogs/unreleased/15832-fix-access-level-update-for-requesters.yml new file mode 100644 index 00000000000..9d6c958cb3e --- /dev/null +++ b/changelogs/unreleased/15832-fix-access-level-update-for-requesters.yml @@ -0,0 +1,5 @@ +--- +title: Fix error that was preventing users to change the access level of access requests for Groups or Projects +merge_request: 15832 +author: +type: fixed diff --git a/spec/controllers/groups/group_members_controller_spec.rb b/spec/controllers/groups/group_members_controller_spec.rb index 9c6d584f59b..362d5cc4514 100644 --- a/spec/controllers/groups/group_members_controller_spec.rb +++ b/spec/controllers/groups/group_members_controller_spec.rb @@ -62,6 +62,25 @@ describe Groups::GroupMembersController do end end + describe 'PUT update' do + let(:requester) { create(:group_member, :access_request, group: group) } + + before do + group.add_owner(user) + sign_in(user) + end + + Gitlab::Access.options.each do |label, value| + it "can change the access level to #{label}" do + xhr :put, :update, group_member: { access_level: value }, + group_id: group, + id: requester + + expect(requester.reload.human_access).to eq(label) + end + end + end + describe 'DELETE destroy' do let(:member) { create(:group_member, :developer, group: group) } diff --git a/spec/controllers/projects/project_members_controller_spec.rb b/spec/controllers/projects/project_members_controller_spec.rb index a34dc27a5ed..290dba0610a 100644 --- a/spec/controllers/projects/project_members_controller_spec.rb +++ b/spec/controllers/projects/project_members_controller_spec.rb @@ -66,6 +66,26 @@ describe Projects::ProjectMembersController do end end + describe 'PUT update' do + let(:requester) { create(:project_member, :access_request, project: project) } + + before do + project.add_master(user) + sign_in(user) + end + + Gitlab::Access.options.each do |label, value| + it "can change the access level to #{label}" do + xhr :put, :update, project_member: { access_level: value }, + namespace_id: project.namespace, + project_id: project, + id: requester + + expect(requester.reload.human_access).to eq(label) + end + end + end + describe 'DELETE destroy' do let(:member) { create(:project_member, :developer, project: project) } |