Enforce share_with_group_lock rules

…in Groups::UpdateService instead of only in the browser.
author: Michael Kozono <mkozono@gmail.com> 2017-09-01 18:00:46 -0700
committer: Michael Kozono <mkozono@gmail.com> 2017-09-06 12:07:20 -0700
commit: 6c57734677746aa0e6695aa75990a85a7f95b50d (patch)
tree: 792a4a0a0a8856ca4702c4464862b53d4bd9461b /app/policies
parent: 1cc7f4a45d9e9fdf1943eb92d3cd2071ba497337 (diff)
download: gitlab-ce-6c57734677746aa0e6695aa75990a85a7f95b50d.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 8ada661e571..dab27bbf6da 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -15,6 +15,9 @@ class GroupPolicy < BasePolicy
 
   condition(:nested_groups_supported, scope: :global) { Group.supports_nested_groups? }
 
+  condition(:parent_share_locked) { @subject.has_parent? && @subject.parent.share_with_group_lock? }
+  condition(:parent_owner) { @subject.has_parent? && @subject.parent.has_owner?(@user) }
+
   condition(:has_projects) do
     GroupProjectsFinder.new(group: @subject, current_user: @user).execute.any?
   end
@@ -54,6 +57,8 @@ class GroupPolicy < BasePolicy
   rule { ~can?(:view_globally) }.prevent   :request_access
   rule { has_access }.prevent              :request_access
 
+  rule { owner & (~parent_share_locked | parent_owner) }.enable :change_share_with_group_lock
+
   def access_level
     return GroupMember::NO_ACCESS if @user.nil?
author	Michael Kozono <mkozono@gmail.com>	2017-09-01 18:00:46 -0700
committer	Michael Kozono <mkozono@gmail.com>	2017-09-06 12:07:20 -0700
commit	6c57734677746aa0e6695aa75990a85a7f95b50d (patch)
tree	792a4a0a0a8856ca4702c4464862b53d4bd9461b /app/policies
parent	1cc7f4a45d9e9fdf1943eb92d3cd2071ba497337 (diff)
download	gitlab-ce-6c57734677746aa0e6695aa75990a85a7f95b50d.tar.gz