Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
e04e585c
Commit
e04e585c
authored
Feb 12, 2019
by
Pavel Shutsin
Committed by
Jarka Košanová
Mar 05, 2019
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Respect group membership lock when importing a member from another group
parent
6276d562
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
98 additions
and
38 deletions
+98
-38
app/controllers/projects/project_members_controller.rb
app/controllers/projects/project_members_controller.rb
+5
-0
ee/changelogs/unreleased/security-maintainer-can-ignore-membership-lock.yml
...leased/security-maintainer-can-ignore-membership-lock.yml
+5
-0
spec/controllers/projects/project_members_controller_spec.rb
spec/controllers/projects/project_members_controller_spec.rb
+88
-38
No files found.
app/controllers/projects/project_members_controller.rb
View file @
e04e585c
...
@@ -7,6 +7,7 @@ class Projects::ProjectMembersController < Projects::ApplicationController
...
@@ -7,6 +7,7 @@ class Projects::ProjectMembersController < Projects::ApplicationController
# Authorize
# Authorize
before_action
:authorize_admin_project_member!
,
except:
[
:index
,
:leave
,
:request_access
]
before_action
:authorize_admin_project_member!
,
except:
[
:index
,
:leave
,
:request_access
]
before_action
:check_membership_lock!
,
only:
[
:create
,
:import
,
:apply_import
]
# rubocop: disable CodeReuse/ActiveRecord
# rubocop: disable CodeReuse/ActiveRecord
def
index
def
index
...
@@ -50,4 +51,8 @@ class Projects::ProjectMembersController < Projects::ApplicationController
...
@@ -50,4 +51,8 @@ class Projects::ProjectMembersController < Projects::ApplicationController
# MembershipActions concern
# MembershipActions concern
alias_method
:membershipable
,
:project
alias_method
:membershipable
,
:project
def
check_membership_lock!
access_denied!
(
'Membership is locked by group settings'
)
if
membership_locked?
end
end
end
ee/changelogs/unreleased/security-maintainer-can-ignore-membership-lock.yml
0 → 100644
View file @
e04e585c
---
title
:
Respect group membership lock when importing a member from another group
merge_request
:
author
:
type
:
security
spec/controllers/projects/project_members_controller_spec.rb
View file @
e04e585c
...
@@ -2,7 +2,8 @@ require('spec_helper')
...
@@ -2,7 +2,8 @@ require('spec_helper')
describe
Projects
::
ProjectMembersController
do
describe
Projects
::
ProjectMembersController
do
let
(
:user
)
{
create
(
:user
)
}
let
(
:user
)
{
create
(
:user
)
}
let
(
:project
)
{
create
(
:project
,
:public
,
:access_requestable
)
}
let
(
:project
)
{
create
(
:project
,
:public
,
:access_requestable
,
namespace:
namespace
)
}
let
(
:namespace
)
{
create
:group
}
describe
'GET index'
do
describe
'GET index'
do
it
'should have the project_members address with a 200 status code'
do
it
'should have the project_members address with a 200 status code'
do
...
@@ -313,6 +314,13 @@ describe Projects::ProjectMembersController do
...
@@ -313,6 +314,13 @@ describe Projects::ProjectMembersController do
end
end
describe
'POST apply_import'
do
describe
'POST apply_import'
do
subject
(
:apply_import
)
do
post
(
:apply_import
,
params:
{
namespace_id:
project
.
namespace
,
project_id:
project
,
source_project_id:
another_project
.
id
})
end
let
(
:another_project
)
{
create
(
:project
,
:private
)
}
let
(
:another_project
)
{
create
(
:project
,
:private
)
}
let
(
:member
)
{
create
(
:user
)
}
let
(
:member
)
{
create
(
:user
)
}
...
@@ -322,40 +330,44 @@ describe Projects::ProjectMembersController do
...
@@ -322,40 +330,44 @@ describe Projects::ProjectMembersController do
sign_in
(
user
)
sign_in
(
user
)
end
end
shared_context
'import applied'
do
before
do
post
(
:apply_import
,
params:
{
namespace_id:
project
.
namespace
,
project_id:
project
,
source_project_id:
another_project
.
id
})
end
end
context
'when user can access source project members'
do
context
'when user can access source project members'
do
before
do
before
do
another_project
.
add_guest
(
user
)
another_project
.
add_guest
(
user
)
end
end
include_context
'import applied'
it
'imports source project members'
do
it
'imports source project members'
do
apply_import
expect
(
project
.
team_members
).
to
include
member
expect
(
project
.
team_members
).
to
include
member
expect
(
response
).
to
set_flash
.
to
'Successfully imported'
expect
(
response
).
to
set_flash
.
to
'Successfully imported'
expect
(
response
).
to
redirect_to
(
expect
(
response
).
to
redirect_to
(
project_project_members_path
(
project
)
project_project_members_path
(
project
)
)
)
end
end
context
'and the project group has membership lock enabled'
do
before
do
project
.
namespace
.
update
(
membership_lock:
true
)
end
it
'responds with 403'
do
apply_import
expect
(
response
.
status
).
to
eq
403
end
end
end
end
context
'when user is not member of a source project'
do
context
'when user is not member of a source project'
do
include_context
'import applied'
it
'does not import team members'
do
it
'does not import team members'
do
apply_import
expect
(
project
.
team_members
).
not_to
include
member
expect
(
project
.
team_members
).
not_to
include
member
end
end
it
'responds with not found'
do
it
'responds with not found'
do
apply_import
expect
(
response
.
status
).
to
eq
404
expect
(
response
.
status
).
to
eq
404
end
end
end
end
...
@@ -363,40 +375,78 @@ describe Projects::ProjectMembersController do
...
@@ -363,40 +375,78 @@ describe Projects::ProjectMembersController do
describe
'POST create'
do
describe
'POST create'
do
let
(
:stranger
)
{
create
(
:user
)
}
let
(
:stranger
)
{
create
(
:user
)
}
subject
(
:create_member
)
do
post
:create
,
params:
{
user_ids:
stranger
.
id
,
namespace_id:
project
.
namespace
,
access_level:
access_level
,
project_id:
project
}
end
let
(
:access_level
)
{
nil
}
before
do
project
.
add_maintainer
(
user
)
sign_in
(
user
)
end
context
'when creating owner'
do
context
'when creating owner'
do
before
do
let
(
:access_level
)
{
Member
::
OWNER
}
project
.
add_maintainer
(
user
)
sign_in
(
user
)
end
it
'does not create a member'
do
it
'does not create a member'
do
expect
do
expect
{
create_member
}.
not_to
change
{
project
.
members
.
count
}
post
:create
,
params:
{
user_ids:
stranger
.
id
,
namespace_id:
project
.
namespace
,
access_level:
Member
::
OWNER
,
project_id:
project
}
end
.
to
change
{
project
.
members
.
count
}.
by
(
0
)
end
end
end
end
context
'when create maintainer'
do
context
'when create maintainer'
do
let
(
:access_level
)
{
Member
::
MAINTAINER
}
it
'creates a member'
do
expect
{
create_member
}.
to
change
{
project
.
members
.
count
}.
by
(
1
)
end
end
context
'when project group has membership lock enabled'
do
before
do
before
do
project
.
add_maintainer
(
user
)
project
.
namespace
.
update
(
membership_lock:
true
)
sign_in
(
user
)
end
end
it
'creates a member'
do
it
'responds with 403'
do
expect
do
create_member
post
:create
,
params:
{
user_ids:
stranger
.
id
,
expect
(
response
.
status
).
to
eq
403
namespace_id:
project
.
namespace
,
end
access_level:
Member
::
MAINTAINER
,
end
project_id:
project
end
}
end
.
to
change
{
project
.
members
.
count
}.
by
(
1
)
describe
'GET import'
do
subject
(
:import
)
do
get
:import
,
params:
{
namespace_id:
project
.
namespace
,
project_id:
project
}
end
before
do
project
.
add_maintainer
(
user
)
sign_in
(
user
)
end
it
'responds with 200'
do
import
expect
(
response
.
status
).
to
eq
200
end
context
'when project group has membership lock enabled'
do
before
do
project
.
namespace
.
update
(
membership_lock:
true
)
end
it
'responds with 403'
do
import
expect
(
response
.
status
).
to
eq
403
end
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment