diff options
author | Rémy Coutable <remy@rymai.me> | 2019-03-13 13:24:03 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-03-13 13:28:01 +0000 |
commit | 49ad9b7e1034715fe48892a343b9dab44c611b44 (patch) | |
tree | 3ac8aa1f594f23014870c94a07349644ee8f664e | |
parent | d40b9c494814aa7d846e713e51af178b8bc9c70b (diff) | |
download | gitlab-ce-49ad9b7e1034715fe48892a343b9dab44c611b44.tar.gz |
Merge branch 'modify_group_policy' into 'master'
Update group policy to reflect all the requirements
See merge request gitlab-org/gitlab-ce!25854
(cherry picked from commit d8bbd3e78e2fe21048bf4c3ad58fd815c8339200)
0a706446 Modify group policy
8a37dd7a Add changelog to reflect changes
71e522a5 Remove not relevant changes
9559470b Remove not relevant changes
-rw-r--r-- | app/policies/group_policy.rb | 3 | ||||
-rw-r--r-- | changelogs/unreleased/modify_group_policy.yml | 5 | ||||
-rw-r--r-- | spec/features/security/group/private_access_spec.rb | 9 |
3 files changed, 12 insertions, 5 deletions
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index e74e5f008d7..db49d3bed9c 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -26,7 +26,7 @@ class GroupPolicy < BasePolicy condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) } condition(:has_projects) do - GroupProjectsFinder.new(group: @subject, current_user: @user, options: { include_subgroups: true }).execute.any? + GroupProjectsFinder.new(group: @subject, current_user: @user, options: { include_subgroups: true, only_owned: true }).execute.any? end condition(:has_clusters, scope: :subject) { clusterable_has_clusters? } @@ -55,6 +55,7 @@ class GroupPolicy < BasePolicy rule { has_projects }.policy do enable :read_list enable :read_label + enable :read_group end rule { has_access }.enable :read_namespace diff --git a/changelogs/unreleased/modify_group_policy.yml b/changelogs/unreleased/modify_group_policy.yml new file mode 100644 index 00000000000..cd9fc340faa --- /dev/null +++ b/changelogs/unreleased/modify_group_policy.yml @@ -0,0 +1,5 @@ +--- +title: Allow project members to see private group if the project is in the group namespace +merge_request: +author: +type: fixed diff --git a/spec/features/security/group/private_access_spec.rb b/spec/features/security/group/private_access_spec.rb index 3238e07fe15..de38a2c0204 100644 --- a/spec/features/security/group/private_access_spec.rb +++ b/spec/features/security/group/private_access_spec.rb @@ -27,7 +27,7 @@ describe 'Private Group access' do it { is_expected.to be_allowed_for(:developer).of(group) } it { is_expected.to be_allowed_for(:reporter).of(group) } it { is_expected.to be_allowed_for(:guest).of(group) } - it { is_expected.to be_denied_for(project_guest) } + it { is_expected.to be_allowed_for(project_guest) } it { is_expected.to be_denied_for(:user) } it { is_expected.to be_denied_for(:external) } it { is_expected.to be_denied_for(:visitor) } @@ -42,7 +42,7 @@ describe 'Private Group access' do it { is_expected.to be_allowed_for(:developer).of(group) } it { is_expected.to be_allowed_for(:reporter).of(group) } it { is_expected.to be_allowed_for(:guest).of(group) } - it { is_expected.to be_denied_for(project_guest) } + it { is_expected.to be_allowed_for(project_guest) } it { is_expected.to be_denied_for(:user) } it { is_expected.to be_denied_for(:external) } it { is_expected.to be_denied_for(:visitor) } @@ -58,7 +58,7 @@ describe 'Private Group access' do it { is_expected.to be_allowed_for(:developer).of(group) } it { is_expected.to be_allowed_for(:reporter).of(group) } it { is_expected.to be_allowed_for(:guest).of(group) } - it { is_expected.to be_denied_for(project_guest) } + it { is_expected.to be_allowed_for(project_guest) } it { is_expected.to be_denied_for(:user) } it { is_expected.to be_denied_for(:external) } it { is_expected.to be_denied_for(:visitor) } @@ -73,7 +73,7 @@ describe 'Private Group access' do it { is_expected.to be_allowed_for(:developer).of(group) } it { is_expected.to be_allowed_for(:reporter).of(group) } it { is_expected.to be_allowed_for(:guest).of(group) } - it { is_expected.to be_denied_for(project_guest) } + it { is_expected.to be_allowed_for(project_guest) } it { is_expected.to be_denied_for(:user) } it { is_expected.to be_denied_for(:external) } it { is_expected.to be_denied_for(:visitor) } @@ -96,6 +96,7 @@ describe 'Private Group access' do describe 'GET /groups/:path for shared projects' do let(:project) { create(:project, :public) } + before do Projects::GroupLinks::CreateService.new( project, |