Groups::ImportExport::ExportService to require admin_group permission

app/services/groups/import_export/export_service.rb

@@ -11,6 +11,12 @@ module Groups
       end
 
       def execute
+        unless @current_user.can?(:admin_group, @group)
+          raise ::Gitlab::ImportExport::Error.new(
+            "User with ID: %s does not have permission to Group %s with ID: %s." %
+              [@current_user.id, @group.name, @group.id])
+        end
+
         save!
       end
 

changelogs/unreleased/fix_group_export_permission.yml

+---
+title: Groups::ImportExport::ExportService to require admin_group permission
+merge_request: 23434
+author:
+type: changed

spec/services/groups/import_export/export_service_spec.rb

@@ -10,6 +10,10 @@ describe Groups::ImportExport::ExportService do
     let(:export_path) { shared.export_path }
     let(:service) { described_class.new(group: group, user: user, params: { shared: shared }) }
 
+    before do
+      group.add_owner(user)
+    end
+
     after do
       FileUtils.rm_rf(export_path)
     end
@@ -30,6 +34,18 @@ describe Groups::ImportExport::ExportService do
       end
     end
 
+    context 'when user does not have admin_group permission' do
+      let!(:another_user) { create(:user) }
+      let(:service) { described_class.new(group: group, user: another_user, params: { shared: shared }) }
+
+      it 'fails' do
+        expected_message =
+          "User with ID: %s does not have permission to Group %s with ID: %s." %
+            [another_user.id, group.name, group.id]
+        expect { service.execute }.to raise_error(Gitlab::ImportExport::Error).with_message(expected_message)
+      end
+    end
+
     context 'when saving services fail' do
       before do
         allow(service).to receive_message_chain(:tree_exporter, :save).and_return(false)