Commit 8f71798c authored by Matthias Käppler's avatar Matthias Käppler

Merge branch '332601-usercap-disable-group-sharing' into 'master'

Disable project and group sharing when setting a User Cap

See merge request gitlab-org/gitlab!67229
parents c9f4d7b0 108f4f0a
...@@ -11,6 +11,9 @@ class NamespaceSetting < ApplicationRecord ...@@ -11,6 +11,9 @@ class NamespaceSetting < ApplicationRecord
validate :allow_mfa_for_group validate :allow_mfa_for_group
validate :allow_resource_access_token_creation_for_group validate :allow_resource_access_token_creation_for_group
before_save :set_prevent_sharing_groups_outside_hierarchy, if: -> { user_cap_enabled? }
after_save :disable_project_sharing!, if: -> { user_cap_enabled? }
before_validation :normalize_default_branch_name before_validation :normalize_default_branch_name
NAMESPACE_SETTINGS_PARAMS = [:default_branch_name, :delayed_project_removal, NAMESPACE_SETTINGS_PARAMS = [:default_branch_name, :delayed_project_removal,
...@@ -19,6 +22,12 @@ class NamespaceSetting < ApplicationRecord ...@@ -19,6 +22,12 @@ class NamespaceSetting < ApplicationRecord
self.primary_key = :namespace_id self.primary_key = :namespace_id
def prevent_sharing_groups_outside_hierarchy
return super if namespace.root?
namespace.root_ancestor.prevent_sharing_groups_outside_hierarchy
end
private private
def normalize_default_branch_name def normalize_default_branch_name
...@@ -48,6 +57,18 @@ class NamespaceSetting < ApplicationRecord ...@@ -48,6 +57,18 @@ class NamespaceSetting < ApplicationRecord
errors.add(:resource_access_token_creation_allowed, _('is not allowed since the group is not top-level group.')) errors.add(:resource_access_token_creation_allowed, _('is not allowed since the group is not top-level group.'))
end end
end end
def set_prevent_sharing_groups_outside_hierarchy
self.prevent_sharing_groups_outside_hierarchy = true
end
def disable_project_sharing!
namespace.update_attribute(:share_with_group_lock, true)
end
def user_cap_enabled?
new_user_signups_cap.present? && namespace.root?
end
end end
NamespaceSetting.prepend_mod_with('NamespaceSetting') NamespaceSetting.prepend_mod_with('NamespaceSetting')
...@@ -106,4 +106,81 @@ RSpec.describe NamespaceSetting, type: :model do ...@@ -106,4 +106,81 @@ RSpec.describe NamespaceSetting, type: :model do
end end
end end
end end
describe '#prevent_sharing_groups_outside_hierarchy' do
let(:settings) { create(:namespace_settings, prevent_sharing_groups_outside_hierarchy: true) }
let!(:group) { create(:group, parent: parent, namespace_settings: settings ) }
subject(:group_sharing_setting) { settings.prevent_sharing_groups_outside_hierarchy }
context 'when this namespace is a root ancestor' do
let(:parent) { nil }
it 'returns the actual stored value' do
expect(group_sharing_setting).to be_truthy
end
end
context 'when this namespace is a descendant' do
let(:parent) { create(:group) }
it 'returns the value stored for the parent settings' do
expect(group_sharing_setting).to eq(parent.namespace_settings.prevent_sharing_groups_outside_hierarchy)
expect(group_sharing_setting).to be_falsey
end
end
end
describe 'hooks related to group user cap update' do
let(:settings) { create(:namespace_settings, new_user_signups_cap: user_cap) }
let(:group) { create(:group, namespace_settings: settings) }
before do
allow(group).to receive(:root?).and_return(true)
end
context 'when updating a group with a user cap' do
let(:user_cap) { nil }
it 'also sets share_with_group_lock and prevent_sharing_groups_outside_hierarchy to true' do
expect(group.new_user_signups_cap).to be_nil
expect(group.share_with_group_lock).to be_falsey
expect(settings.prevent_sharing_groups_outside_hierarchy).to be_falsey
settings.update!(new_user_signups_cap: 10)
group.reload
expect(group.new_user_signups_cap).to eq(10)
expect(group.share_with_group_lock).to be_truthy
expect(settings.reload.prevent_sharing_groups_outside_hierarchy).to be_truthy
end
it 'has share_with_group_lock and prevent_sharing_groups_outside_hierarchy returning true for descendent groups' do
descendent = create(:group, parent: group)
desc_settings = descendent.namespace_settings
expect(descendent.share_with_group_lock).to be_falsey
expect(desc_settings.prevent_sharing_groups_outside_hierarchy).to be_falsey
settings.update!(new_user_signups_cap: 10)
expect(descendent.reload.share_with_group_lock).to be_truthy
expect(desc_settings.reload.prevent_sharing_groups_outside_hierarchy).to be_truthy
end
end
context 'when removing a user cap from namespace settings' do
let(:user_cap) { 10 }
it 'leaves share_with_group_lock and prevent_sharing_groups_outside_hierarchy set to true to the related group' do
expect(group.share_with_group_lock).to be_truthy
expect(settings.prevent_sharing_groups_outside_hierarchy).to be_truthy
settings.update!(new_user_signups_cap: nil)
expect(group.reload.share_with_group_lock).to be_truthy
expect(settings.reload.prevent_sharing_groups_outside_hierarchy).to be_truthy
end
end
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment