summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--app/helpers/groups_helper.rb6
-rw-r--r--app/policies/group_policy.rb13
-rw-r--r--spec/helpers/groups_helper_spec.rb8
-rw-r--r--spec/policies/group_policy_spec.rb6
4 files changed, 28 insertions, 5 deletions
diff --git a/app/helpers/groups_helper.rb b/app/helpers/groups_helper.rb
index 95fea2f18d1..3c5c8bbd71b 100644
--- a/app/helpers/groups_helper.rb
+++ b/app/helpers/groups_helper.rb
@@ -128,8 +128,10 @@ module GroupsHelper
def get_group_sidebar_links
links = [:overview, :group_members]
- if can?(current_user, :read_cross_project)
- links += [:activity, :issues, :boards, :labels, :milestones, :merge_requests]
+ resources = [:activity, :issues, :boards, :labels, :milestones,
+ :merge_requests]
+ links += resources.select do |resource|
+ can?(current_user, "read_group_#{resource}".to_sym, @group)
end
if can?(current_user, :admin_group, @group)
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 520710b757d..ded9fe30eff 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -72,6 +72,19 @@ class GroupPolicy < BasePolicy
enable :change_visibility_level
end
+ rule { can?(:read_nested_project_resources) }.policy do
+ enable :read_group_activity
+ enable :read_group_issues
+ enable :read_group_boards
+ enable :read_group_labels
+ enable :read_group_milestones
+ enable :read_group_merge_requests
+ end
+
+ rule { can?(:read_cross_project) & can?(:read_group) }.policy do
+ enable :read_nested_project_resources
+ end
+
rule { owner & nested_groups_supported }.enable :create_subgroup
rule { public_group | logged_in_viewable }.enable :view_globally
diff --git a/spec/helpers/groups_helper_spec.rb b/spec/helpers/groups_helper_spec.rb
index 6c94bd4e504..115807f954b 100644
--- a/spec/helpers/groups_helper_spec.rb
+++ b/spec/helpers/groups_helper_spec.rb
@@ -206,8 +206,9 @@ describe GroupsHelper do
let(:group) { create(:group, :public) }
let(:user) { create(:user) }
before do
+ group.add_owner(user)
allow(helper).to receive(:current_user) { user }
- allow(helper).to receive(:can?) { true }
+ allow(helper).to receive(:can?) { |*args| Ability.allowed?(*args) }
helper.instance_variable_set(:@group, group)
end
@@ -231,7 +232,10 @@ describe GroupsHelper do
cross_project_features = [:activity, :issues, :labels, :milestones,
:merge_requests]
- expect(helper).to receive(:can?).with(user, :read_cross_project) { false }
+ allow(Ability).to receive(:allowed?).and_call_original
+ cross_project_features.each do |feature|
+ expect(Ability).to receive(:allowed?).with(user, "read_group_#{feature}".to_sym, group) { false }
+ end
expect(helper.group_sidebar_links).not_to include(*cross_project_features)
end
diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb
index 9b5c290b9f9..d6d340bd806 100644
--- a/spec/policies/group_policy_spec.rb
+++ b/spec/policies/group_policy_spec.rb
@@ -9,7 +9,11 @@ describe GroupPolicy do
let(:admin) { create(:admin) }
let(:group) { create(:group, :private) }
- let(:guest_permissions) { [:read_label, :read_group, :upload_file, :read_namespace] }
+ let(:guest_permissions) do
+ [:read_label, :read_group, :upload_file, :read_namespace, :read_group_activity,
+ :read_group_issues, :read_group_boards, :read_group_labels, :read_group_milestones,
+ :read_group_merge_requests]
+ end
let(:reporter_permissions) { [:admin_label] }