Add cr remarks

ee/lib/gitlab/auth/group_saml/gma_membership_enforcer.rb

@@ -9,27 +9,27 @@ module Gitlab
         end
 
         def can_add_user?(user)
-          can_add_user_to_main_project = check_group_membership(user, project)
-          can_add_user_to_source_project = project.forked? ? check_group_membership(user, project.forked_from_project) : true
-
-          can_add_user_to_main_project && can_add_user_to_source_project
+          check_project_membership(user) && check_source_project_membership(user)
         end
 
         private
 
         attr_reader :project
 
-        def check_group_membership(user, given_project)
-          root_ancestor = project_root_ancestor(given_project)
+        def check_project_membership(user)
+          check_group_managed_account(project.root_ancestor, user)
+        end
 
-          return true unless root_ancestor.kind == 'group'
-          return true unless root_ancestor.enforced_group_managed_accounts?
+        def check_source_project_membership(user)
+          return true unless project.forked?
 
-          root_ancestor == user.managing_group
+          check_group_managed_account(project.forked_from_project.root_ancestor, user)
         end
 
-        def project_root_ancestor(given_project)
-          given_project.root_ancestor
+        def check_group_managed_account(root_ancestor, user)
+          return true unless root_ancestor.is_a?(Group) && root_ancestor.enforced_group_managed_accounts?
+
+          root_ancestor == user.managing_group
         end
       end
     end

ee/spec/lib/gitlab/auth/group_saml/gma_membership_enforcer_spec.rb

@@ -4,6 +4,7 @@ require 'spec_helper'
 
 describe Gitlab::Auth::GroupSaml::GmaMembershipEnforcer do
   include ProjectForksHelper
+
   let_it_be(:group) { create(:group_with_managed_accounts, :private) }
   let_it_be(:project) { create(:project, namespace: group)}
   let_it_be(:managed_user) { create(:user, :group_managed, managing_group: group) }
@@ -30,7 +31,7 @@ describe Gitlab::Auth::GroupSaml::GmaMembershipEnforcer do
   end
 
   context 'when the project is forked' do
-    let(:forked_project) { fork_project(project, managed_user_for_project) }
+    subject { described_class.new(fork_project(project, managed_user_for_project)) }
 
     before do
       project.add_developer(managed_user_for_project)
@@ -38,13 +39,13 @@ describe Gitlab::Auth::GroupSaml::GmaMembershipEnforcer do
 
     context 'when user is group-managed' do
       it 'allows adding user to project' do
-        expect(described_class.new(forked_project).can_add_user?(managed_user)).to be_truthy
+        expect(subject.can_add_user?(managed_user)).to be_truthy
       end
     end
 
     context 'when user is not group-managed' do
       it 'does not allow adding user to project' do
-        expect(described_class.new(forked_project).can_add_user?(create(:user))).to be_falsey
+        expect(subject.can_add_user?(create(:user))).to be_falsey
       end
     end
   end
@@ -53,6 +54,8 @@ describe Gitlab::Auth::GroupSaml::GmaMembershipEnforcer do
     let(:project) { create(:project) }
     let(:forked_project) { create(:project, namespace: group) }
 
+    subject { described_class.new(forked_project) }
+
     before do
       project.add_developer(managed_user_for_project)
       fork_project(project, managed_user_for_project, namespace: group, target_project: forked_project)
@@ -60,13 +63,13 @@ describe Gitlab::Auth::GroupSaml::GmaMembershipEnforcer do
 
     context 'when user is group-managed' do
       it 'allows adding user to project' do
-        expect(described_class.new(forked_project).can_add_user?(managed_user)).to be_truthy
+        expect(subject.can_add_user?(managed_user)).to be_truthy
       end
     end
 
     context 'when user is not group-managed' do
       it 'does not allow adding user to project' do
-        expect(described_class.new(forked_project).can_add_user?(create(:user))).to be_falsey
+        expect(subject.can_add_user?(create(:user))).to be_falsey
       end
     end
   end