Handle permissions for group sharing with pending memberships

Treat pending members of invited groups as if they are not members

app/models/group.rb

@@ -882,6 +882,7 @@ class Group < Namespace
       .where(group_member_table[:requested_at].eq(nil))
       .where(group_member_table[:source_id].eq(group_group_link_table[:shared_with_group_id]))
       .where(group_member_table[:source_type].eq('Namespace'))
+      .where(group_member_table[:state].eq(::Member::STATE_ACTIVE))
       .non_minimal_access
   end
 

ee/spec/features/pending_group_memberships_spec.rb

@@ -124,6 +124,23 @@ RSpec.describe 'Pending group memberships', :js do
       create(:group_group_link, shared_group: other_group, shared_with_group: group)
     end
 
+    it 'a pending member of the invited group sees the shared group as if not a member' do
+      create(:group_member, :awaiting, :developer, source: group, user: developer)
+
+      visit group_path(other_group)
+
+      expect(page).to have_content 'Page Not Found'
+    end
+
+    it 'a pending member of the invited group sees the shared group as if not a member when the shared group has a project' do
+      create(:project, namespace: other_group)
+      create(:group_member, :awaiting, :developer, source: group, user: developer)
+
+      visit group_path(other_group)
+
+      expect(page).to have_content 'Page Not Found'
+    end
+
     it 'a pending member of the invited group sees a project in the shared group as if not a member' do
       project = create(:project, namespace: other_group)
       create(:group_member, :awaiting, :developer, source: group, user: developer)

ee/spec/policies/group_policy_spec.rb

@@ -1861,6 +1861,31 @@ RSpec.describe GroupPolicy do
       end
     end
 
+    context 'with a group invited to another group' do
+      using RSpec::Parameterized::TableSyntax
+
+      let_it_be(:group) { create(:group, :public) }
+      let_it_be(:other_group) { create(:group, :private) }
+
+      subject { described_class.new(user, other_group) }
+
+      before_all do
+        create(:group_group_link, { shared_with_group: group, shared_group: other_group })
+      end
+
+      where(:role) do
+        %i(owner maintainer developer reporter guest)
+      end
+
+      with_them do
+        it 'a pending member in the group has permissions to the other group as if the user is not a member' do
+          create(:group_member, :awaiting, role, source: group, user: user)
+
+          expect_private_group_permissions_as_if_non_member
+        end
+      end
+    end
+
     def expect_private_group_permissions_as_if_non_member
       expect_disallowed(*public_permissions)
       expect_disallowed(*guest_permissions)

spec/models/group_spec.rb

@@ -1327,10 +1327,14 @@ RSpec.describe Group do
     let!(:group) { create(:group, :nested) }
     let!(:maintainer) { group.parent.add_user(create(:user), GroupMember::MAINTAINER) }
     let!(:developer) { group.add_user(create(:user), GroupMember::DEVELOPER) }
+    let!(:pending_maintainer) { create(:group_member, :awaiting, :maintainer, group: group.parent) }
+    let!(:pending_developer) { create(:group_member, :awaiting, :developer, group: group) }
 
-    it 'returns parents members' do
+    it 'returns parents active members' do
       expect(group.members_with_parents).to include(developer)
       expect(group.members_with_parents).to include(maintainer)
+      expect(group.members_with_parents).not_to include(pending_developer)
+      expect(group.members_with_parents).not_to include(pending_maintainer)
     end
 
     context 'group sharing' do
@@ -1340,9 +1344,11 @@ RSpec.describe Group do
         create(:group_group_link, shared_group: shared_group, shared_with_group: group)
       end
 
-      it 'returns shared with group members' do
+      it 'returns shared with group active members' do
         expect(shared_group.members_with_parents).to(
           include(developer))
+        expect(shared_group.members_with_parents).not_to(
+          include(pending_developer))
       end
     end
   end