Merge branch...

Merge branch '353309-group-level-protected-environments-don-t-take-inherited-membership-into-account' into 'master'

Resolve "Group-level PE don't take inherited membership into account"

See merge request gitlab-org/gitlab!82415

ee/app/models/protected_environment/deploy_access_level.rb

@@ -22,7 +22,7 @@ class ProtectedEnvironment::DeployAccessLevel < ApplicationRecord
     return false unless user
     return true if user.admin?
     return user.id == user_id if user_type?
-    return group.users.exists?(user.id) if group_type?
+    return group.member?(user) if group_type?
 
     protected_environment.container_access_level(user) >= access_level
   end

ee/spec/models/protected_environment/deploy_access_level_spec.rb

@@ -70,6 +70,19 @@ RSpec.describe ProtectedEnvironment::DeployAccessLevel do
         it { is_expected.to be_truthy }
       end
 
+      context 'when there is an inherited member of a group' do
+        let_it_be(:parent_group) { create(:group) }
+        let_it_be(:child_group) { create(:group, parent: parent_group, projects: [project])}
+
+        let(:deploy_access_level) { create(:protected_environment_deploy_access_level, protected_environment: protected_environment, group: child_group) }
+
+        before do
+          parent_group.add_reporter(user)
+        end
+
+        it { is_expected.to be_truthy }
+      end
+
       context 'when no permissions have been given to a group' do
         let(:deploy_access_level) { create(:protected_environment_deploy_access_level, protected_environment: protected_environment) }