Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Jérome Perrin
gitlab-ce
Commits
5bc9dedf
Commit
5bc9dedf
authored
Aug 09, 2017
by
Tiago Botelho
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Improves subgroup creation permissions
parent
4a2a6d52
Changes
8
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
74 additions
and
12 deletions
+74
-12
app/controllers/groups_controller.rb
app/controllers/groups_controller.rb
+7
-0
app/policies/group_policy.rb
app/policies/group_policy.rb
+3
-1
app/services/groups/create_service.rb
app/services/groups/create_service.rb
+2
-2
app/views/shared/_group_form.html.haml
app/views/shared/_group_form.html.haml
+2
-3
changelogs/unreleased/35845-improve-subgroup-creation-permissions.yml
...nreleased/35845-improve-subgroup-creation-permissions.yml
+5
-0
spec/features/groups_spec.rb
spec/features/groups_spec.rb
+12
-5
spec/policies/group_policy_spec.rb
spec/policies/group_policy_spec.rb
+30
-0
spec/services/groups/create_service_spec.rb
spec/services/groups/create_service_spec.rb
+13
-1
No files found.
app/controllers/groups_controller.rb
View file @
5bc9dedf
...
...
@@ -26,6 +26,13 @@ class GroupsController < Groups::ApplicationController
def
new
@group
=
Group
.
new
if
params
[
:parent_id
].
present?
parent
=
Group
.
find_by
(
id:
params
[
:parent_id
])
if
can?
(
current_user
,
:create_subgroup
,
parent
)
@group
.
parent
=
parent
end
end
end
def
create
...
...
app/policies/group_policy.rb
View file @
5bc9dedf
...
...
@@ -13,6 +13,8 @@ class GroupPolicy < BasePolicy
condition
(
:master
)
{
access_level
>=
GroupMember
::
MASTER
}
condition
(
:reporter
)
{
access_level
>=
GroupMember
::
REPORTER
}
condition
(
:nested_groups_supported
,
scope: :global
)
{
Group
.
supports_nested_groups?
}
condition
(
:has_projects
)
do
GroupProjectsFinder
.
new
(
group:
@subject
,
current_user:
@user
).
execute
.
any?
end
...
...
@@ -42,7 +44,7 @@ class GroupPolicy < BasePolicy
enable
:change_visibility_level
end
rule
{
owner
&
can_create_group
}.
enable
:create_subgroup
rule
{
owner
&
can_create_group
&
nested_groups_supported
}.
enable
:create_subgroup
rule
{
public_group
|
logged_in_viewable
}.
enable
:view_globally
...
...
app/services/groups/create_service.rb
View file @
5bc9dedf
...
...
@@ -13,9 +13,9 @@ module Groups
return
@group
end
if
@group
.
parent
&&
!
can?
(
current_user
,
:
admin_
group
,
@group
.
parent
)
if
@group
.
parent
&&
!
can?
(
current_user
,
:
create_sub
group
,
@group
.
parent
)
@group
.
parent
=
nil
@group
.
errors
.
add
(
:parent_id
,
'
manage access required to create subgroup
'
)
@group
.
errors
.
add
(
:parent_id
,
'
You don’t have permission to create a subgroup in this group.
'
)
return
@group
end
...
...
app/views/shared/_group_form.html.haml
View file @
5bc9dedf
-
content_for
:page_specific_javascripts
do
=
page_specific_javascript_bundle_tag
(
'group'
)
-
parent
=
GroupFinder
.
new
(
current_user
).
execute
(
id:
params
[
:parent_id
]
||
@group
.
parent_id
)
-
parent
=
@group
.
parent
-
group_path
=
root_url
-
group_path
<<
parent
.
full_path
+
'/'
if
parent
...
...
@@ -13,13 +13,12 @@
%span
>=
root_url
-
if
parent
%strong
=
parent
.
full_path
+
'/'
=
f
.
hidden_field
:parent_id
=
f
.
text_field
:path
,
placeholder:
'open-source'
,
class:
'form-control'
,
autofocus:
local_assigns
[
:autofocus
]
||
false
,
required:
true
,
pattern:
Gitlab
::
PathRegex
::
NAMESPACE_FORMAT_REGEX_JS
,
title:
'Please choose a group path with no special characters.'
,
"data-bind-in"
=>
"
#{
'create_chat_team'
if
Gitlab
.
config
.
mattermost
.
enabled
}
"
-
if
parent
=
f
.
hidden_field
:parent_id
,
value:
parent
.
id
-
if
@group
.
persisted?
.alert.alert-warning.prepend-top-10
...
...
changelogs/unreleased/35845-improve-subgroup-creation-permissions.yml
0 → 100644
View file @
5bc9dedf
---
title
:
Improves subgroup creation permissions
merge_request
:
13418
author
:
type
:
bugifx
spec/features/groups_spec.rb
View file @
5bc9dedf
...
...
@@ -104,18 +104,15 @@ feature 'Group' do
end
context
'as group owner'
do
let
(
:user
)
{
create
(
:user
)
}
it
'creates a nested group'
do
user
=
create
(
:user
)
before
do
group
.
add_owner
(
user
)
sign_out
(
:user
)
sign_in
(
user
)
visit
subgroups_group_path
(
group
)
click_link
'New Subgroup'
end
it
'creates a nested group'
do
fill_in
'Group path'
,
with:
'bar'
click_button
'Create group'
...
...
@@ -123,6 +120,16 @@ feature 'Group' do
expect
(
page
).
to
have_content
(
"Group 'bar' was successfully created."
)
end
end
context
'when nested group feature is disabled'
do
it
'renders 404'
do
allow
(
Group
).
to
receive
(
:supports_nested_groups?
).
and_return
(
false
)
visit
subgroups_group_path
(
group
)
expect
(
page
.
status_code
).
to
eq
(
404
)
end
end
end
it
'checks permissions to avoid exposing groups by parent_id'
do
...
...
spec/policies/group_policy_spec.rb
View file @
5bc9dedf
...
...
@@ -123,6 +123,36 @@ describe GroupPolicy do
end
end
describe
'when nested group support feature is disabled'
do
before
do
allow
(
Group
).
to
receive
(
:supports_nested_groups?
).
and_return
(
false
)
end
context
'admin'
do
let
(
:current_user
)
{
admin
}
it
'allows every owner permission except creating subgroups'
do
create_subgroup_permission
=
[
:create_subgroup
]
updated_owner_permissions
=
owner_permissions
-
create_subgroup_permission
expect_disallowed
(
*
create_subgroup_permission
)
expect_allowed
(
*
updated_owner_permissions
)
end
end
context
'owner'
do
let
(
:current_user
)
{
owner
}
it
'allows every owner permission except creating subgroups'
do
create_subgroup_permission
=
[
:create_subgroup
]
updated_owner_permissions
=
owner_permissions
-
create_subgroup_permission
expect_disallowed
(
*
create_subgroup_permission
)
expect_allowed
(
*
updated_owner_permissions
)
end
end
end
describe
'private nested group use the highest access level from the group and inherited permissions'
,
:nested_groups
do
let
(
:nested_group
)
{
create
(
:group
,
:private
,
parent:
group
)
}
...
...
spec/services/groups/create_service_spec.rb
View file @
5bc9dedf
...
...
@@ -32,12 +32,24 @@ describe Groups::CreateService, '#execute' do
end
it
{
is_expected
.
to
be_persisted
}
context
'when nested groups feature is disabled'
do
it
'does not save group and returns an error'
do
allow
(
Group
).
to
receive
(
:supports_nested_groups?
).
and_return
(
false
)
is_expected
.
not_to
be_persisted
expect
(
subject
.
errors
[
:parent_id
]).
to
include
(
'You don’t have permission to create a subgroup in this group.'
)
expect
(
subject
.
parent_id
).
to
be_nil
end
end
end
context
'as guest'
do
it
'does not save group and returns an error'
do
allow
(
Group
).
to
receive
(
:supports_nested_groups?
).
and_return
(
true
)
is_expected
.
not_to
be_persisted
expect
(
subject
.
errors
[
:parent_id
].
first
).
to
eq
(
'
manage access required to create subgroup
'
)
expect
(
subject
.
errors
[
:parent_id
].
first
).
to
eq
(
'
You don’t have permission to create a subgroup in this group.
'
)
expect
(
subject
.
parent_id
).
to
be_nil
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment