Fix overly aggressive prevent call

All we need to prevent when the user is the last owner is that they cannot remove themselves, and leave the group un-owned. The existing call is too aggressive and prevents any action, even legitimate ones like `:read_group`. This change fixes that by naming the abilities we are trying to prevent. This work was done as part of https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40088, where this caused a bug. Since it is isolated it can be pulled out.

Fix overly aggressive prevent call
All we need to prevent when the user is the last owner is that they cannot remove themselves, and leave the group un-owned. The existing call is too aggressive and prevents any action, even legitimate ones like `:read_group`. This change fixes that by naming the abilities we are trying to prevent. This work was done as part of https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40088, where this caused a bug. Since it is isolated it can be pulled out.
90ca01af · Alex Kalderimis · 8b281570 · 90ca01af · 90ca01af · 90ca01af
Commit 90ca01af authored Nov 11, 2020 by Alex Kalderimis
3 changed files
--- a/app/policies/group_member_policy.rb
+++ b/app/policies/group_member_policy.rb
@@ -11,7 +11,10 @@ class GroupMemberPolicy < BasePolicy
  condition(:is_target_user) { @user && @subject.user_id == @user.id }

  rule { anonymous }.prevent_all
-  rule { last_owner }.prevent_all
+  rule { last_owner }.policy do
+    prevent :update_group_member
+    prevent :destroy_group_member
+  end

  rule { can?(:admin_group_member) }.policy do
    enable :update_group_member

--- a/changelogs/unreleased/ajk-group-member-policy.yml
+++ b/changelogs/unreleased/ajk-group-member-policy.yml
+---
+title: Fix overly aggressive prevent call
+merge_request: 47455
+author:
+type: fixed
--- a/spec/policies/group_member_policy_spec.rb
+++ b/spec/policies/group_member_policy_spec.rb
@@ -42,6 +42,7 @@ RSpec.describe GroupMemberPolicy do
    it do
      expect_disallowed(:destroy_group_member)
      expect_disallowed(:update_group_member)
+      expect_allowed(:read_group)
    end
  end