Commit e5db4679 authored by Gabriel Mazetto's avatar Gabriel Mazetto

Merge branch 'if-238165-fix_project_create_authorization_for_admin' into 'master'

Projects::CreateService to consider only group membership for admin

See merge request gitlab-org/gitlab!42335
parents 166453a4 9d328e6d
......@@ -410,10 +410,17 @@ class Group < Namespace
.where(namespaces: { id: self_and_descendants.select(:id) })
end
def max_member_access_for_user(user)
# Return the highest access level for a user
#
# A special case is handled here when the user is a GitLab admin
# which implies it has "OWNER" access everywhere, but should not
# officially appear as a member of a group unless specifically added to it
#
# @param user [User]
# @param only_concrete_membership [Bool] whether require admin concrete membership status
def max_member_access_for_user(user, only_concrete_membership: false)
return GroupMember::NO_ACCESS unless user
return GroupMember::OWNER if user.admin?
return GroupMember::OWNER if user.admin? && !only_concrete_membership
max_member_access = members_with_parents.where(user_id: user)
.reorder(access_level: :desc)
......
......@@ -114,8 +114,13 @@ module Projects
# completes), and any other affected users in the background
def setup_authorizations
if @project.group
group_access_level = @project.group.max_member_access_for_user(current_user,
only_concrete_membership: true)
if group_access_level > GroupMember::NO_ACCESS
current_user.project_authorizations.create!(project: @project,
access_level: @project.group.max_member_access_for_user(current_user))
access_level: group_access_level)
end
if Feature.enabled?(:specialized_project_authorization_workers)
AuthorizedProjectUpdate::ProjectCreateWorker.perform_async(@project.id)
......
---
title: Do not add admins as owners to project authorizations during project creation
merge_request: 42335
author:
type: fixed
......@@ -653,6 +653,19 @@ RSpec.describe Group do
expect(shared_group.max_member_access_for_user(user)).to eq(Gitlab::Access::MAINTAINER)
end
end
context 'evaluating admin access level' do
let_it_be(:admin) { create(:admin) }
it 'returns OWNER by default' do
expect(group.max_member_access_for_user(admin)).to eq(Gitlab::Access::OWNER)
end
it 'returns NO_ACCESS when only concrete membership should be considered' do
expect(group.max_member_access_for_user(admin, only_concrete_membership: true))
.to eq(Gitlab::Access::NO_ACCESS)
end
end
end
describe '#members_with_parents' do
......
......@@ -490,6 +490,25 @@ RSpec.describe API::Projects do
expect(json_response.first['name']).to eq(project4.name)
expect(json_response.first['owner']['username']).to eq(user4.username)
end
context 'when admin creates a project' do
before do
group = create(:group)
project_create_opts = {
name: 'GitLab',
namespace_id: group.id
}
Projects::CreateService.new(admin, project_create_opts).execute
end
it 'does not list as owned project for admin' do
get api('/projects', admin), params: { owned: true }
expect(response).to have_gitlab_http_status(:ok)
expect(json_response).to be_empty
end
end
end
context 'and with starred=true' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment