diff options
Diffstat (limited to 'app/services/groups/update_service.rb')
-rw-r--r-- | app/services/groups/update_service.rb | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/app/services/groups/update_service.rb b/app/services/groups/update_service.rb new file mode 100644 index 00000000000..acb6c529c17 --- /dev/null +++ b/app/services/groups/update_service.rb @@ -0,0 +1,44 @@ +#Checks visibility level permission check before updating a group +#Do not allow to put Group visibility level smaller than its projects +#Do not allow unauthorized permission levels + +module Groups + class UpdateService < Groups::BaseService + def execute + visibility_level_allowed?(params[:visibility_level]) ? group.update_attributes(params) : false + end + + private + + def visibility_level_allowed?(level) + return true unless level.present? + + allowed_by_projects = visibility_by_project(level) + allowed_by_user = visibility_by_user(level) + + allowed_by_projects && allowed_by_user + end + + def visibility_by_project(level) + projects_visibility = group.projects.pluck(:visibility_level) + + allowed_by_projects = !projects_visibility.any?{|project_visibility| level.to_i < project_visibility } + add_error_message("Cannot be changed. There are projects with higher visibility permissions.") unless allowed_by_projects + allowed_by_projects + end + + def visibility_by_user(level) + allowed_by_user = Gitlab::VisibilityLevel.allowed_for?(current_user, level) + add_error_message("You are not authorized to set this permission level.") unless allowed_by_user + allowed_by_user + end + + def add_error_message(message) + level_name = Gitlab::VisibilityLevel.level_name(params[:visibility_level]) + group.errors.add(:visibility_level, message) + end + end +end + + + |