From c3e70280dffe7ee0859ebd73b902d424ca5f809a Mon Sep 17 00:00:00 2001
From: Felipe Artur <felipefac@gmail.com>
Date: Tue, 8 Mar 2016 21:01:33 -0300
Subject: Prevent projects to have higher visibility than groups Prevent Groups
 to have smaller visibility than projects Add default_group_visibility_level
 to configuration Code improvements

---
 app/services/groups/base_service.rb   |  9 +++++++
 app/services/groups/update_service.rb | 44 +++++++++++++++++++++++++++++++++++
 2 files changed, 53 insertions(+)
 create mode 100644 app/services/groups/base_service.rb
 create mode 100644 app/services/groups/update_service.rb

(limited to 'app/services/groups')

diff --git a/app/services/groups/base_service.rb b/app/services/groups/base_service.rb
new file mode 100644
index 00000000000..5becd475d3a
--- /dev/null
+++ b/app/services/groups/base_service.rb
@@ -0,0 +1,9 @@
+module Groups
+  class BaseService
+    attr_accessor :group, :current_user, :params
+
+    def initialize(group, user, params = {})
+      @group, @current_user, @params = group, user, params.dup
+    end
+  end
+end
diff --git a/app/services/groups/update_service.rb b/app/services/groups/update_service.rb
new file mode 100644
index 00000000000..acb6c529c17
--- /dev/null
+++ b/app/services/groups/update_service.rb
@@ -0,0 +1,44 @@
+#Checks visibility level permission check before updating a group
+#Do not allow to put Group visibility level smaller than its projects
+#Do not allow unauthorized permission levels
+
+module Groups
+  class UpdateService < Groups::BaseService
+    def execute
+      visibility_level_allowed?(params[:visibility_level]) ? group.update_attributes(params) : false
+    end
+
+    private
+
+    def visibility_level_allowed?(level)
+      return true unless level.present?
+
+      allowed_by_projects = visibility_by_project(level)
+      allowed_by_user     = visibility_by_user(level)
+
+      allowed_by_projects && allowed_by_user
+    end
+
+    def visibility_by_project(level)
+      projects_visibility = group.projects.pluck(:visibility_level)
+
+      allowed_by_projects = !projects_visibility.any?{|project_visibility| level.to_i < project_visibility }
+      add_error_message("Cannot be changed. There are projects with higher visibility permissions.") unless allowed_by_projects
+      allowed_by_projects
+    end
+
+    def visibility_by_user(level)
+      allowed_by_user  = Gitlab::VisibilityLevel.allowed_for?(current_user, level)
+      add_error_message("You are not authorized to set this permission level.") unless allowed_by_user
+      allowed_by_user
+    end
+
+    def add_error_message(message)
+      level_name = Gitlab::VisibilityLevel.level_name(params[:visibility_level])
+      group.errors.add(:visibility_level, message)
+    end
+  end
+end
+
+
+
-- 
cgit v1.2.1