Add latest changes from gitlab-org/security/gitlab@14-4-stable-ee

5 files changed, 62 insertions, 2 deletions

diff --git a/app/models/project.rb b/app/models/project.rb
index 6eb19b4462c..00a572b775d 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -2714,8 +2714,23 @@ class Project < ApplicationRecord
     self.errors.add(:base, _("Could not change HEAD: branch '%{branch}' does not exist") % { branch: branch })
   end
 
+  def visible_group_links(for_user:)
+    user = for_user
+    links = project_group_links_with_preload
+    user.max_member_access_for_group_ids(links.map(&:group_id)) if user && links.any?
+
+    DeclarativePolicy.user_scope do
+      links.select { Ability.allowed?(user, :read_group, _1.group) }
+    end
+  end
+
   private
 
+  # overridden in EE
+  def project_group_links_with_preload
+    project_group_links
+  end
+
   def save_topics
     return if @topic_list.nil?
 
diff --git a/lib/api/entities/project.rb b/lib/api/entities/project.rb
index df0c1d7a4c5..41320d184f9 100644
--- a/lib/api/entities/project.rb
+++ b/lib/api/entities/project.rb
@@ -100,7 +100,9 @@ module API
       expose :build_coverage_regex
       expose :ci_config_path, if: -> (project, options) { Ability.allowed?(options[:current_user], :download_code, project) }
       expose :shared_with_groups do |project, options|
-        SharedGroupWithProject.represent(project.project_group_links, options)
+        user = options[:current_user]
+
+        SharedGroupWithProject.represent(project.visible_group_links(for_user: user), options)
       end
       expose :only_allow_merge_if_pipeline_succeeds
       expose :allow_merge_on_skipped_pipeline
diff --git a/lib/gitlab/background_migration/user_mentions/models/group.rb b/lib/gitlab/background_migration/user_mentions/models/group.rb
index a8b4b59b06c..310723570c2 100644
--- a/lib/gitlab/background_migration/user_mentions/models/group.rb
+++ b/lib/gitlab/background_migration/user_mentions/models/group.rb
@@ -11,6 +11,10 @@ module Gitlab
 
           has_one :saml_provider
 
+          def root_saml_provider
+            root_ancestor.saml_provider
+          end
+
           def self.declarative_policy_class
             "GroupPolicy"
           end
diff --git a/spec/lib/api/entities/project_spec.rb b/spec/lib/api/entities/project_spec.rb
new file mode 100644
index 00000000000..8d1c3aa878d
--- /dev/null
+++ b/spec/lib/api/entities/project_spec.rb
@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe ::API::Entities::Project do
+  let(:project) { create(:project, :public) }
+  let(:current_user) { create(:user) }
+  let(:options) { { current_user: current_user } }
+
+  let(:entity) do
+    ::API::Entities::Project.new(project, options)
+  end
+
+  subject(:json) { entity.as_json }
+
+  describe '.shared_with_groups' do
+    let(:group) { create(:group, :private) }
+
+    before do
+      project.project_group_links.create!(group: group)
+    end
+
+    context 'when the current user does not have access to the group' do
+      it 'is empty' do
+        expect(json[:shared_with_groups]).to be_empty
+      end
+    end
+
+    context 'when the current user has access to the group' do
+      before do
+        group.add_guest(current_user)
+      end
+
+      it 'contains information about the shared group' do
+        expect(json[:shared_with_groups]).to contain_exactly(include(group_id: group.id))
+      end
+    end
+  end
+end
diff --git a/spec/requests/api/projects_spec.rb b/spec/requests/api/projects_spec.rb
index b5d3dcee804..9b23c008ae7 100644
--- a/spec/requests/api/projects_spec.rb
+++ b/spec/requests/api/projects_spec.rb
@@ -990,7 +990,7 @@ RSpec.describe API::Projects do
 
         expect do
           get api('/projects', admin)
-        end.not_to exceed_query_limit(control.count)
+        end.not_to exceed_query_limit(control)
       end
     end
   end