Remove protected tag access when group is removed

When a group is removed from the project, it should no longer be included in any protected tags.

Remove protected tag access when group is removed
When a group is removed from the project, it should no longer be included in any protected tags.
8dffe619 · Patrick Bajao · a1b0c955 · 8dffe619 · 8dffe619 · 8dffe619
Commit 8dffe619 authored Nov 27, 2019 by Patrick Bajao
3 changed files
--- a/ee/app/models/ee/project_group_link.rb
+++ b/ee/app/models/ee/project_group_link.rb
@@ -15,6 +15,9 @@ module EE
      project.protected_branches.merge_access_by_group(group).destroy_all # rubocop: disable DestroyAll
      project.protected_branches.push_access_by_group(group).destroy_all # rubocop: disable DestroyAll

+      # For protected tags
+      project.protected_tags.create_access_by_group(group).delete_all
+
      # For protected environments
      project.protected_environments.deploy_access_levels_by_group(group).delete_all
    end

--- a/ee/changelogs/unreleased/security-pb-protected-tags-remove-group.yml
+++ b/ee/changelogs/unreleased/security-pb-protected-tags-remove-group.yml
+---
+title: Remove protected tag access when group is removed
+merge_request:
+author:
+type: security
--- a/ee/spec/models/ee/project_group_link_spec.rb
+++ b/ee/spec/models/ee/project_group_link_spec.rb
@@ -13,16 +13,46 @@ describe ProjectGroupLink do
      project.add_developer(user)
    end

-    it 'removes related protected environment deploy access levels' do
-      params = attributes_for(:protected_environment,
-                              deploy_access_levels_attributes: [{ group_id: group.id }, { user_id: user.id }])
+    shared_examples_for 'deleted related access levels' do |access_level_class|
+      it "removes related #{access_level_class}" do
+        expect { project_group_link.destroy! }.to change(access_level_class, :count).by(-1)
+        expect(access_levels.find_by_group_id(group)).to be_nil
+        expect(access_levels.find_by_user_id(user)).to be_persisted
+      end
+    end
+
+    context 'protected tags' do
+      let!(:protected_tag) do
+        ProtectedTags::CreateService.new(
+          project,
+          project.owner,
+          attributes_for(
+            :protected_tag,
+            create_access_levels_attributes: [{ group_id: group.id }, { user_id: user.id }]
+          )
+        ).execute
+      end

-      protected_environment = ProtectedEnvironments::CreateService.new(project, user, params).execute
+      let(:access_levels) { protected_tag.create_access_levels }
+
+      it_behaves_like 'deleted related access levels', ProtectedTag::CreateAccessLevel
+    end
+
+    context 'protected environments' do
+      let!(:protected_environment) do
+        ProtectedEnvironments::CreateService.new(
+          project,
+          project.owner,
+          attributes_for(
+            :protected_environment,
+            deploy_access_levels_attributes: [{ group_id: group.id }, { user_id: user.id }]
+          )
+        ).execute
+      end

-      expect { project_group_link.destroy! }.to change(ProtectedEnvironment::DeployAccessLevel, :count).by(-1)
+      let(:access_levels) { protected_environment.deploy_access_levels }

-      expect(protected_environment.deploy_access_levels.find_by_group_id(group)).to be_nil
-      expect(protected_environment.deploy_access_levels.find_by_user_id(user)).to be_persisted
+      it_behaves_like 'deleted related access levels', ProtectedEnvironment::DeployAccessLevel
    end
  end
 end