Don't pass a current user to calling Member#add_user in LDAP group sync

This is because group owners have their `:admin_group_member` permission removed when the group is LDAP synced, thus ending in an early return at `return member unless can_update_member?(current_user, member)` in `Member.add_user`, leading to new LDAP users not being created. This make this change while still being able to approve access requests during a LDAP sync, `Members::ApproveAccessRequestService` has been changed (in CE) to accept a `:force` option that bypass permission check (since the permission is removed for owners of LDAP-synced groups). This option is thus set to `ldap` in `Member.add_user`. Signed-off-by: Rémy Coutable <remy@rymai.me>

Don't pass a current user to calling Member#add_user in LDAP group sync
This is because group owners have their `:admin_group_member` permission removed when the group is LDAP synced, thus ending in an early return at `return member unless can_update_member?(current_user, member)` in `Member.add_user`, leading to new LDAP users not being created. This make this change while still being able to approve access requests during a LDAP sync, `Members::ApproveAccessRequestService` has been changed (in CE) to accept a `:force` option that bypass permission check (since the permission is removed for owners of LDAP-synced groups). This option is thus set to `ldap` in `Member.add_user`. Signed-off-by: Rémy Coutable <remy@rymai.me>
8e748bdb · Rémy Coutable · 8018c125 · 8e748bdb · 8e748bdb · 8e748bdb
Commit 8e748bdb authored Oct 28, 2016 by Rémy Coutable
Showing with 11 additions and 20 deletions

app/models/member.rb app/models/member.rb +1 -1

lib/ee/gitlab/ldap/sync/group.rb lib/ee/gitlab/ldap/sync/group.rb +2 -18

spec/lib/ee/gitlab/ldap/sync/group_spec.rb spec/lib/ee/gitlab/ldap/sync/group_spec.rb +8 -1

No files found.
--- a/app/models/member.rb
+++ b/app/models/member.rb
@@ -111,7 +111,7 @@ class Member < ActiveRecord::Base
          current_user,
          id: member.id,
          access_level: access_level
-        ).execute
+        ).execute(force: ldap)
      else
        member.save
      end

--- a/lib/ee/gitlab/ldap/sync/group.rb
+++ b/lib/ee/gitlab/ldap/sync/group.rb
@@ -99,13 +99,6 @@ module EE
          def update_existing_group_membership(group, access_levels)
            logger.debug { "Updating existing membership for '#{group.name}' group" }

-            # Access requesters must be approved by a group owner so we take the
-            # first group owner and pass it as `current_user` to `#add_or_update_user_membership`.
-            # For users that are not access requesters, it doesn't matter if
-            # `current_user` is `nil` because the permissions to update users are
-            # not enforced in `Member.add_user`!
-            added_by = group.members.owners.first.try(:user)
-
            select_and_preload_group_members(group).each do |member|
              user = member.user
              identity = user.identities.select(:id, :extern_uid)
@@ -147,8 +140,7 @@ module EE
                add_or_update_user_membership(
                  user,
                  group,
-                  desired_access,
-                  current_user: added_by
+                  desired_access
                )
              elsif group.last_owner?(user)
                warn_cannot_remove_last_owner(user, group)
@@ -161,13 +153,6 @@ module EE
          def add_new_members(group, access_levels)
            logger.debug { "Adding new members to '#{group.name}' group" }

-            # Access requesters must be approved by a group owner so we take the
-            # first group owner and pass it as `current_user` to `#add_or_update_user_membership`.
-            # For users that are not access requesters, it doesn't matter if
-            # `current_user` is `nil` because the permissions to update users are
-            # not enforced in `Member.add_user`!
-            added_by = group.members.owners.first.try(:user)
-
            access_levels.each do |member_dn, access_level|
              user = ::Gitlab::LDAP::User.find_by_uid_and_provider(member_dn, provider)

@@ -175,8 +160,7 @@ module EE
                add_or_update_user_membership(
                  user,
                  group,
-                  access_level,
-                  current_user: added_by
+                  access_level
                )
              else
                logger.debug do

--- a/spec/lib/ee/gitlab/ldap/sync/group_spec.rb
+++ b/spec/lib/ee/gitlab/ldap/sync/group_spec.rb
@@ -4,10 +4,13 @@ describe EE::Gitlab::LDAP::Sync::Group, lib: true do
  include LdapHelpers

  let(:adapter) { ldap_adapter }
-  let(:sync_group) { described_class.new(group, proxy(adapter)) }
  let(:user) { create(:user) }

  before do
+    # We need to actually activate the LDAP config otherwise `Group#ldap_synced?`
+    # will always be false!
+    allow(Gitlab.config.ldap).to receive_messages(enabled: true)
+
    create(:identity, user: user, extern_uid: user_dn(user.username))

    stub_ldap_config(active_directory: false)
@@ -113,6 +116,9 @@ describe EE::Gitlab::LDAP::Sync::Group, lib: true do

  describe '#update_permissions' do
    before do
+      # Safe-check because some permissions are removed when `Group#ldap_synced?`
+      # is true (e.g. in `GroupPolicy`).
+      expect(group).to be_ldap_synced
      group.start_ldap_sync
    end
    after do
@@ -124,6 +130,7 @@ describe EE::Gitlab::LDAP::Sync::Group, lib: true do
             cn: 'ldap_group1',
             group_access: ::Gitlab::Access::DEVELOPER)
    end
+    let(:sync_group) { described_class.new(group, proxy(adapter)) }

    context 'with all functionality against one LDAP group type' do
      context 'with basic add/update actions' do