diff options
-rw-r--r-- | app/helpers/groups_helper.rb | 6 | ||||
-rw-r--r-- | app/policies/group_policy.rb | 13 | ||||
-rw-r--r-- | spec/helpers/groups_helper_spec.rb | 8 | ||||
-rw-r--r-- | spec/policies/group_policy_spec.rb | 6 |
4 files changed, 28 insertions, 5 deletions
diff --git a/app/helpers/groups_helper.rb b/app/helpers/groups_helper.rb index 95fea2f18d1..3c5c8bbd71b 100644 --- a/app/helpers/groups_helper.rb +++ b/app/helpers/groups_helper.rb @@ -128,8 +128,10 @@ module GroupsHelper def get_group_sidebar_links links = [:overview, :group_members] - if can?(current_user, :read_cross_project) - links += [:activity, :issues, :boards, :labels, :milestones, :merge_requests] + resources = [:activity, :issues, :boards, :labels, :milestones, + :merge_requests] + links += resources.select do |resource| + can?(current_user, "read_group_#{resource}".to_sym, @group) end if can?(current_user, :admin_group, @group) diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 520710b757d..ded9fe30eff 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -72,6 +72,19 @@ class GroupPolicy < BasePolicy enable :change_visibility_level end + rule { can?(:read_nested_project_resources) }.policy do + enable :read_group_activity + enable :read_group_issues + enable :read_group_boards + enable :read_group_labels + enable :read_group_milestones + enable :read_group_merge_requests + end + + rule { can?(:read_cross_project) & can?(:read_group) }.policy do + enable :read_nested_project_resources + end + rule { owner & nested_groups_supported }.enable :create_subgroup rule { public_group | logged_in_viewable }.enable :view_globally diff --git a/spec/helpers/groups_helper_spec.rb b/spec/helpers/groups_helper_spec.rb index 6c94bd4e504..115807f954b 100644 --- a/spec/helpers/groups_helper_spec.rb +++ b/spec/helpers/groups_helper_spec.rb @@ -206,8 +206,9 @@ describe GroupsHelper do let(:group) { create(:group, :public) } let(:user) { create(:user) } before do + group.add_owner(user) allow(helper).to receive(:current_user) { user } - allow(helper).to receive(:can?) { true } + allow(helper).to receive(:can?) { |*args| Ability.allowed?(*args) } helper.instance_variable_set(:@group, group) end @@ -231,7 +232,10 @@ describe GroupsHelper do cross_project_features = [:activity, :issues, :labels, :milestones, :merge_requests] - expect(helper).to receive(:can?).with(user, :read_cross_project) { false } + allow(Ability).to receive(:allowed?).and_call_original + cross_project_features.each do |feature| + expect(Ability).to receive(:allowed?).with(user, "read_group_#{feature}".to_sym, group) { false } + end expect(helper.group_sidebar_links).not_to include(*cross_project_features) end diff --git a/spec/policies/group_policy_spec.rb b/spec/policies/group_policy_spec.rb index 9b5c290b9f9..d6d340bd806 100644 --- a/spec/policies/group_policy_spec.rb +++ b/spec/policies/group_policy_spec.rb @@ -9,7 +9,11 @@ describe GroupPolicy do let(:admin) { create(:admin) } let(:group) { create(:group, :private) } - let(:guest_permissions) { [:read_label, :read_group, :upload_file, :read_namespace] } + let(:guest_permissions) do + [:read_label, :read_group, :upload_file, :read_namespace, :read_group_activity, + :read_group_issues, :read_group_boards, :read_group_labels, :read_group_milestones, + :read_group_merge_requests] + end let(:reporter_permissions) { [:admin_label] } |