Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
26f32aff
Commit
26f32aff
authored
8 years ago
by
Douglas Barbosa Alexandre
Committed by
Phil Hughes
8 years ago
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Allow owner/master to change membership when LDAP group sync is enabled
parent
cc65fb54
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
32 additions
and
11 deletions
+32
-11
app/controllers/groups/group_members_controller.rb
app/controllers/groups/group_members_controller.rb
+13
-2
app/policies/group_member_policy.rb
app/policies/group_member_policy.rb
+7
-1
app/policies/group_policy.rb
app/policies/group_policy.rb
+4
-1
app/views/shared/members/_member.html.haml
app/views/shared/members/_member.html.haml
+8
-7
No files found.
app/controllers/groups/group_members_controller.rb
View file @
26f32aff
...
@@ -2,7 +2,8 @@ class Groups::GroupMembersController < Groups::ApplicationController
...
@@ -2,7 +2,8 @@ class Groups::GroupMembersController < Groups::ApplicationController
include
MembershipActions
include
MembershipActions
# Authorize
# Authorize
before_action
:authorize_admin_group_member!
,
except:
[
:index
,
:leave
,
:request_access
]
before_action
:authorize_admin_group_member!
,
except:
[
:index
,
:leave
,
:request_access
,
:update
,
:override
]
before_action
:authorize_update_group_member!
,
only:
[
:update
,
:override
]
def
index
def
index
@project
=
@group
.
projects
.
find
(
params
[
:project_id
])
if
params
[
:project_id
]
@project
=
@group
.
projects
.
find
(
params
[
:project_id
])
if
params
[
:project_id
]
...
@@ -94,8 +95,18 @@ class Groups::GroupMembersController < Groups::ApplicationController
...
@@ -94,8 +95,18 @@ class Groups::GroupMembersController < Groups::ApplicationController
protected
protected
def
authorize_update_group_member!
unless
can?
(
current_user
,
:admin_group_member
,
group
)
||
can?
(
current_user
,
:override_group_member
,
group
)
return
render_403
end
end
def
member_params
def
member_params
params
.
require
(
:group_member
).
permit
(
:access_level
,
:user_id
,
:expires_at
,
:override
)
params
.
require
(
:group_member
).
permit
(
:access_level
,
:user_id
,
:expires_at
)
end
def
override_params
params
.
require
(
:group_member
).
permit
(
:override
)
end
end
# MembershipActions concern
# MembershipActions concern
...
...
This diff is collapsed.
Click to expand it.
app/policies/group_member_policy.rb
View file @
26f32aff
...
@@ -16,6 +16,12 @@ class GroupMemberPolicy < BasePolicy
...
@@ -16,6 +16,12 @@ class GroupMemberPolicy < BasePolicy
can!
:destroy_group_member
can!
:destroy_group_member
end
end
# cannot! :update_group_member if @subject.ldap
# EE-only
can_override
=
Ability
.
allowed?
(
@user
,
:override_group_member
,
group
)
if
can_override
&&
@subject
.
ldap?
can!
:override_group_member
can!
:update_group_member
if
@subject
.
override?
end
end
end
end
end
This diff is collapsed.
Click to expand it.
app/policies/group_policy.rb
View file @
26f32aff
...
@@ -35,7 +35,10 @@ class GroupPolicy < BasePolicy
...
@@ -35,7 +35,10 @@ class GroupPolicy < BasePolicy
end
end
# EE-only
# EE-only
# cannot! :admin_group_member if @subject.ldap_synced?
if
@subject
.
ldap_synced?
cannot!
:admin_group_member
can!
:override_group_member
if
owner
end
end
end
def
can_read_group?
def
can_read_group?
...
...
This diff is collapsed.
Click to expand it.
app/views/shared/members/_member.html.haml
View file @
26f32aff
...
@@ -3,9 +3,10 @@
...
@@ -3,9 +3,10 @@
-
user
=
local_assigns
.
fetch
(
:user
,
member
.
user
)
-
user
=
local_assigns
.
fetch
(
:user
,
member
.
user
)
-
source
=
member
.
source
-
source
=
member
.
source
-
can_admin_member
=
can?
(
current_user
,
action_member_permission
(
:update
,
member
),
member
)
-
can_admin_member
=
can?
(
current_user
,
action_member_permission
(
:update
,
member
),
member
)
-
can_override_member
=
can?
(
current_user
,
action_member_permission
(
:override
,
member
),
member
)
-
update_url
=
member
.
type
==
'GroupMember'
?
group_group_member_path
(
@group
,
member
)
:
namespace_project_project_member_path
(
@project
.
namespace
,
@project
,
member
)
-
update_url
=
member
.
type
==
'GroupMember'
?
group_group_member_path
(
@group
,
member
)
:
namespace_project_project_member_path
(
@project
.
namespace
,
@project
,
member
)
%li
.member
{
class:
[
dom_class
(
member
),
(
"is-overriden"
if
member
.
override
&&
can_admin_member
)],
id:
dom_id
(
member
)
}
%li
.member
{
class:
[
dom_class
(
member
),
(
"is-overriden"
if
member
.
override
)],
id:
dom_id
(
member
)
}
%span
.list-item-name
%span
.list-item-name
-
if
user
-
if
user
=
image_tag
avatar_icon
(
user
,
40
),
class:
"avatar s40"
,
alt:
''
=
image_tag
avatar_icon
(
user
,
40
),
class:
"avatar s40"
,
alt:
''
...
@@ -35,7 +36,7 @@
...
@@ -35,7 +36,7 @@
%span
{
class:
(
'text-warning'
if
member
.
expires_soon?
)
}
%span
{
class:
(
'text-warning'
if
member
.
expires_soon?
)
}
Expires in
#{
distance_of_time_in_words_to_now
(
member
.
expires_at
)
}
Expires in
#{
distance_of_time_in_words_to_now
(
member
.
expires_at
)
}
-
if
member
.
ldap?
-
if
can_override_member
%span
.label.label-info.pull-right.visible-xs-block
%span
.label.label-info.pull-right.visible-xs-block
LDAP
LDAP
...
@@ -50,7 +51,7 @@
...
@@ -50,7 +51,7 @@
=
time_ago_with_tooltip
(
member
.
created_at
)
=
time_ago_with_tooltip
(
member
.
created_at
)
-
if
show_roles
-
if
show_roles
.controls.member-controls
.controls.member-controls
-
if
member
.
ldap?
-
if
can_override_member
%span
.label.label-info.members-ldap.hidden-xs
%span
.label.label-info.members-ldap.hidden-xs
LDAP
LDAP
-
if
show_controls
&&
(
member
.
respond_to?
(
:group
)
&&
@group
)
||
(
member
.
respond_to?
(
:project
)
&&
@project
)
-
if
show_controls
&&
(
member
.
respond_to?
(
:group
)
&&
@group
)
||
(
member
.
respond_to?
(
:project
)
&&
@project
)
...
@@ -73,7 +74,7 @@
...
@@ -73,7 +74,7 @@
=
link_to
role
,
"javascript:void(0)"
,
=
link_to
role
,
"javascript:void(0)"
,
class:
(
"is-active"
if
member
.
access_level
==
role_id
),
class:
(
"is-active"
if
member
.
access_level
==
role_id
),
data:
{
id:
role_id
}
data:
{
id:
role_id
}
-
if
member
.
ldap?
-
if
can_override_member
%li
.divider
%li
.divider
%li
%li
=
link_to
"Revert to LDAP group sync settings"
,
"javascript:void(0)"
,
=
link_to
"Revert to LDAP group sync settings"
,
"javascript:void(0)"
,
...
@@ -95,7 +96,7 @@
...
@@ -95,7 +96,7 @@
class:
'btn btn-success prepend-left-10'
,
class:
'btn btn-success prepend-left-10'
,
title:
'Grant access'
title:
'Grant access'
-
if
can?
(
current_user
,
action_member_permission
(
:destroy
,
member
),
member
)
&&
!
member
.
ldap?
-
if
can?
(
current_user
,
action_member_permission
(
:destroy
,
member
),
member
)
-
if
current_user
==
user
-
if
current_user
==
user
=
link_to
icon
(
'sign-out'
,
text:
'Leave'
),
polymorphic_path
([
:leave
,
member
.
source
,
:members
]),
=
link_to
icon
(
'sign-out'
,
text:
'Leave'
),
polymorphic_path
([
:leave
,
member
.
source
,
:members
]),
method: :delete
,
method: :delete
,
...
@@ -111,7 +112,7 @@
...
@@ -111,7 +112,7 @@
%span
.visible-xs-block
%span
.visible-xs-block
Delete
Delete
=
icon
(
'trash'
,
class:
'hidden-xs'
)
=
icon
(
'trash'
,
class:
'hidden-xs'
)
-
elsif
member
.
ldap?
&&
can_admin
_member
-
if
can_override
_member
%button
.btn.btn-default.btn-ldap-override.js-ldap-permissions
{
type:
"button"
,
%button
.btn.btn-default.btn-ldap-override.js-ldap-permissions
{
type:
"button"
,
"aria-label"
=>
"Edit permissions"
,
"aria-label"
=>
"Edit permissions"
,
data:
{
name:
user
.
name
,
id:
dom_id
(
member
)
}
}
data:
{
name:
user
.
name
,
id:
dom_id
(
member
)
}
}
...
@@ -120,7 +121,7 @@
...
@@ -120,7 +121,7 @@
=
icon
(
"pencil"
,
class:
"hidden-xs hidden-sm"
)
=
icon
(
"pencil"
,
class:
"hidden-xs hidden-sm"
)
-
else
-
else
%span
.member-access-text
=
member
.
human_access
%span
.member-access-text
=
member
.
human_access
-
if
member
.
ldap?
&&
can_admin
_member
-
if
can_override
_member
%li
.alert.alert-member-ldap
{
style:
"display: none;"
}
%li
.alert.alert-member-ldap
{
style:
"display: none;"
}
%p
%p
=
user
.
name
=
user
.
name
...
...
This diff is collapsed.
Click to expand it.
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment