blob: acb6c529c173b1735962ae477e34682da0f5d6cc (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
#Checks visibility level permission check before updating a group
#Do not allow to put Group visibility level smaller than its projects
#Do not allow unauthorized permission levels
module Groups
class UpdateService < Groups::BaseService
def execute
visibility_level_allowed?(params[:visibility_level]) ? group.update_attributes(params) : false
end
private
def visibility_level_allowed?(level)
return true unless level.present?
allowed_by_projects = visibility_by_project(level)
allowed_by_user = visibility_by_user(level)
allowed_by_projects && allowed_by_user
end
def visibility_by_project(level)
projects_visibility = group.projects.pluck(:visibility_level)
allowed_by_projects = !projects_visibility.any?{|project_visibility| level.to_i < project_visibility }
add_error_message("Cannot be changed. There are projects with higher visibility permissions.") unless allowed_by_projects
allowed_by_projects
end
def visibility_by_user(level)
allowed_by_user = Gitlab::VisibilityLevel.allowed_for?(current_user, level)
add_error_message("You are not authorized to set this permission level.") unless allowed_by_user
allowed_by_user
end
def add_error_message(message)
level_name = Gitlab::VisibilityLevel.level_name(params[:visibility_level])
group.errors.add(:visibility_level, message)
end
end
end
|