diff options
| author | Felipe Artur <felipefac@gmail.com> | 2016-03-08 21:01:33 -0300 |
|---|---|---|
| committer | Felipe Artur <felipefac@gmail.com> | 2016-03-10 10:38:36 -0300 |
| commit | c3e70280dffe7ee0859ebd73b902d424ca5f809a (patch) | |
| tree | 06b83a5ab13d19803332253cf50a941501b29317 /app/services/groups | |
| parent | bd59e59d01c5e845c7f7d451feaa1488670f20de (diff) | |
| download | gitlab-ce-c3e70280dffe7ee0859ebd73b902d424ca5f809a.tar.gz | |
Prevent projects to have higher visibility than groups
Prevent Groups to have smaller visibility than projects
Add default_group_visibility_level to configuration
Code improvements
Diffstat (limited to 'app/services/groups')
| -rw-r--r-- | app/services/groups/base_service.rb | 9 | ||||
| -rw-r--r-- | app/services/groups/update_service.rb | 44 |
2 files changed, 53 insertions, 0 deletions
diff --git a/app/services/groups/base_service.rb b/app/services/groups/base_service.rb new file mode 100644 index 00000000000..5becd475d3a --- /dev/null +++ b/app/services/groups/base_service.rb @@ -0,0 +1,9 @@ +module Groups + class BaseService + attr_accessor :group, :current_user, :params + + def initialize(group, user, params = {}) + @group, @current_user, @params = group, user, params.dup + end + end +end diff --git a/app/services/groups/update_service.rb b/app/services/groups/update_service.rb new file mode 100644 index 00000000000..acb6c529c17 --- /dev/null +++ b/app/services/groups/update_service.rb @@ -0,0 +1,44 @@ +#Checks visibility level permission check before updating a group +#Do not allow to put Group visibility level smaller than its projects +#Do not allow unauthorized permission levels + +module Groups + class UpdateService < Groups::BaseService + def execute + visibility_level_allowed?(params[:visibility_level]) ? group.update_attributes(params) : false + end + + private + + def visibility_level_allowed?(level) + return true unless level.present? + + allowed_by_projects = visibility_by_project(level) + allowed_by_user = visibility_by_user(level) + + allowed_by_projects && allowed_by_user + end + + def visibility_by_project(level) + projects_visibility = group.projects.pluck(:visibility_level) + + allowed_by_projects = !projects_visibility.any?{|project_visibility| level.to_i < project_visibility } + add_error_message("Cannot be changed. There are projects with higher visibility permissions.") unless allowed_by_projects + allowed_by_projects + end + + def visibility_by_user(level) + allowed_by_user = Gitlab::VisibilityLevel.allowed_for?(current_user, level) + add_error_message("You are not authorized to set this permission level.") unless allowed_by_user + allowed_by_user + end + + def add_error_message(message) + level_name = Gitlab::VisibilityLevel.level_name(params[:visibility_level]) + group.errors.add(:visibility_level, message) + end + end +end + + + |