diff options
Diffstat (limited to 'app/controllers/projects/group_links_controller.rb')
-rw-r--r-- | app/controllers/projects/group_links_controller.rb | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/app/controllers/projects/group_links_controller.rb b/app/controllers/projects/group_links_controller.rb index 08eebfa0e4b..451f1d1363b 100644 --- a/app/controllers/projects/group_links_controller.rb +++ b/app/controllers/projects/group_links_controller.rb @@ -2,13 +2,13 @@ class Projects::GroupLinksController < Projects::ApplicationController layout 'project_settings' - before_action :authorize_admin_project! + before_action :authorize_admin_project!, except: [:destroy] + before_action :authorize_admin_project_group_link!, only: [:destroy] before_action :authorize_admin_project_member!, only: [:update] feature_category :subgroups def update - group_link = @project.project_group_links.find(params[:id]) Projects::GroupLinks::UpdateService.new(group_link, current_user).execute(group_link_params) if group_link.expires? @@ -22,13 +22,15 @@ class Projects::GroupLinksController < Projects::ApplicationController end def destroy - group_link = project.project_group_links.find(params[:id]) - ::Projects::GroupLinks::DestroyService.new(project, current_user).execute(group_link) respond_to do |format| format.html do - redirect_to project_project_members_path(project), status: :found + if can?(current_user, :admin_group, group_link.group) + redirect_to group_path(group_link.group), status: :found + elsif can?(current_user, :admin_project, group_link.project) + redirect_to project_project_members_path(project), status: :found + end end format.js { head :ok } end @@ -36,6 +38,15 @@ class Projects::GroupLinksController < Projects::ApplicationController protected + def authorize_admin_project_group_link! + render_404 unless can?(current_user, :admin_project_group_link, group_link) + end + + def group_link + @project.project_group_links.find(params[:id]) + end + strong_memoize_attr :group_link + def group_link_params params.require(:group_link).permit(:group_access, :expires_at) end |