Commit 1728bf98 authored by Drew Blessing's avatar Drew Blessing Committed by Drew Blessing

Minor updates to LDAP override membership API

Minor updates to `peterlloydcc` work to expose the ability to
override LDAP membership via the API. This along with `peterlloydcc`
original commit allow users to set the override flag on a member
to true or false, as needed.
parent 307c6074
......@@ -282,13 +282,14 @@ Example response:
}
```
### Override LDAP permissions for a member from a group
### Set override flag for a member of a group
Allows access level to be overriden for a LDAP group member
> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/4875) in GitLab 12.10.
>**Note:** This API endpoint is only available on 11.x Starter and above.
By default, the access level of LDAP group members is set to the value specified
by LDAP through Group Sync. You can allow access level overrides by calling this endpoint.
```
```plaintext
POST /groups/:id/members/:user_id/override
```
......@@ -317,13 +318,14 @@ Example response:
}
```
### Un-override LDAP permissions for a member from a group
### Remove override for a member of a group
Resets access level for a LDAP group member back to be level determined by the LDAP group
> [Introduced](https://gitlab.com/gitlab-org/gitlab/issues/4875) in GitLab 12.10.
>**Note:** This API endpoint is only available on 11.x Starter and above.
Sets the override flag to false and allows LDAP Group Sync to reset the access
level to the LDAP-prescribed value.
```
```plaintext
DELETE /groups/:id/members/:user_id/override
```
......
......@@ -20,6 +20,7 @@ module EE
end
scope :non_owners, -> { where("members.access_level < ?", ::Gitlab::Access::OWNER) }
scope :by_user_id, ->(user_id) { where(user_id: user_id) }
end
class_methods do
......
---
title: Add API methods to manipulate LDAP Override attribute
merge_request:
merge_request: 28674
author: Peter Lloyd <peter.lloyd@cambridgeconsultants.com>
type: added
......@@ -14,7 +14,7 @@ module EE
expose :is_using_seat, if: -> (_, options) { options[:show_seat_info] }
expose :override,
if: ->(member, options) { member.source_type == 'Namespace' && member.ldap? }
if: ->(member, _) { member.source_type == 'Namespace' && member.ldap? }
end
end
end
......
......@@ -45,6 +45,21 @@ module EE
member
end
def find_member(params)
source = find_source(:group, params.delete(:id))
authorize! :override_group_member, source
source.members.by_user_id(params[:user_id]).first
end
def present_member(updated_member)
if updated_member.valid?
present updated_member, with: ::API::Entities::Member
else
render_validation_error!(updated_member)
end
end
def log_audit_event(member)
::AuditEventService.new(
current_user,
......
......@@ -10,55 +10,37 @@ module EE
requires :id, type: String, desc: 'The ID of a group'
end
resource :groups, requirements: ::API::API::NAMESPACE_OR_PROJECT_REQUIREMENTS do
desc 'Overrides a member of a group.' do
desc 'Overrides the access level of an LDAP group member.' do
success Entities::Member
end
params do
requires :user_id, type: Integer, desc: 'The user ID of the member'
end
# rubocop: disable CodeReuse/ActiveRecord
post ":id/members/:user_id/override" do
source = find_source(:group, params.delete(:id))
authorize_admin_source!(:group, source)
member = find_member(params)
member = source.members.find_by!(user_id: params[:user_id])
updated_member =
::Members::UpdateService
.new(current_user, { override: true })
.execute(member, permission: :override)
updated_member = ::Members::UpdateService
.new(current_user, { override: true })
.execute(member, permission: :override)
if updated_member.valid?
present updated_member, with: ::API::Entities::Member
else
render_validation_error!(updated_member)
end
present_member(updated_member)
end
# rubocop: enable CodeReuse/ActiveRecord
desc 'Remove an override of a member of a group.' do
desc 'Remove an LDAP group member access level override.' do
success Entities::Member
end
params do
requires :user_id, type: Integer, desc: 'The user ID of the member'
end
# rubocop: disable CodeReuse/ActiveRecord
delete ":id/members/:user_id/override" do
source = find_source(:group, params.delete(:id))
authorize_admin_source!(:group, source)
member = find_member(params)
member = source.members.find_by!(user_id: params[:user_id])
updated_member =
::Members::UpdateService
.new(current_user, { override: false })
.execute(member, permission: :override)
updated_member = ::Members::UpdateService
.new(current_user, { override: false })
.execute(member, permission: :override)
if updated_member.valid?
present updated_member, with: ::API::Entities::Member
else
render_validation_error!(updated_member)
end
present_member(updated_member)
end
# rubocop: enable CodeReuse/ActiveRecord
end
end
end
......
This diff is collapsed.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment