Fix users not seeing labels from private groups when being a member of a child project

app/policies/group_policy.rb

@@ -22,7 +22,7 @@ class GroupPolicy < BasePolicy
   condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) }
 
   condition(:has_projects) do
-    GroupProjectsFinder.new(group: @subject, current_user: @user).execute.any?
+    GroupProjectsFinder.new(group: @subject, current_user: @user, options: { include_subgroups: true }).execute.any?
   end
 
   with_options scope: :subject, score: 0
@@ -43,7 +43,11 @@ class GroupPolicy < BasePolicy
   end
 
   rule { admin }             .enable :read_group
-  rule { has_projects }      .enable :read_group
+
+  rule { has_projects }.policy do
+    enable :read_group
+    enable :read_label
+  end
 
   rule { has_access }.enable :read_namespace
 

changelogs/unreleased/issue_45463.yml

@@ -0,0 +1,5 @@
+---
+title: Fix users not seeing labels from private groups when being a member of a child project
+merge_request:
+author:
+type: fixed

spec/features/labels_hierarchy_spec.rb

@@ -170,6 +170,8 @@ feature 'Labels Hierarchy', :js, :nested_groups do
 
     context 'on issue sidebar' do
       before do
+        project_1.add_developer(user)
+
         visit project_issue_path(project_1, issue)
       end
 
@@ -180,6 +182,8 @@ feature 'Labels Hierarchy', :js, :nested_groups do
       let(:board)   { create(:board, project: project_1) }
 
       before do
+        project_1.add_developer(user)
+
         visit project_board_path(project_1, board)
 
         wait_for_requests
@@ -194,6 +198,8 @@ feature 'Labels Hierarchy', :js, :nested_groups do
       let(:board)   { create(:board, group: parent) }
 
       before do
+        parent.add_developer(user)
+
         visit group_board_path(parent, board)
 
         wait_for_requests
@@ -211,6 +217,8 @@ feature 'Labels Hierarchy', :js, :nested_groups do
 
     context 'on project issuable list' do
       before do
+        project_1.add_developer(user)
+
         visit project_issues_path(project_1)
       end
 
@@ -237,6 +245,8 @@ feature 'Labels Hierarchy', :js, :nested_groups do
       let(:board) { create(:board, project: project_1) }
 
       before do
+        project_1.add_developer(user)
+
         visit project_board_path(project_1, board)
       end
 
@@ -247,6 +257,8 @@ feature 'Labels Hierarchy', :js, :nested_groups do
       let(:board) { create(:board, group: parent) }
 
       before do
+        parent.add_developer(user)
+
         visit group_board_path(parent, board)
       end
 
@@ -259,6 +271,7 @@ feature 'Labels Hierarchy', :js, :nested_groups do
       let(:board) { create(:board, project: project_1) }
 
       before do
+        project_1.add_developer(user)
         visit project_board_path(project_1, board)
         find('.js-new-board-list').click
         wait_for_requests
@@ -281,6 +294,7 @@ feature 'Labels Hierarchy', :js, :nested_groups do
       let(:board) { create(:board, group: parent) }
 
       before do
+        parent.add_developer(user)
         visit group_board_path(parent, board)
         find('.js-new-board-list').click
         wait_for_requests

spec/policies/group_policy_spec.rb

@@ -7,9 +7,9 @@ describe GroupPolicy do
   let(:master) { create(:user) }
   let(:owner) { create(:user) }
   let(:admin) { create(:admin) }
-  let(:group) { create(:group) }
+  let(:group) { create(:group, :private) }
 
-  let(:guest_permissions) { [:read_group, :upload_file, :read_namespace] }
+  let(:guest_permissions) { [:read_label, :read_group, :upload_file, :read_namespace] }
 
   let(:reporter_permissions) { [:admin_label] }
 
@@ -50,6 +50,7 @@ describe GroupPolicy do
   end
 
   context 'with no user' do
+    let(:group) { create(:group, :public) }
     let(:current_user) { nil }
 
     it do
@@ -63,6 +64,28 @@ describe GroupPolicy do
     end
   end
 
+  context 'has projects' do
+    let(:current_user) { create(:user) }
+    let(:project) { create(:project, namespace: group) }
+
+    before do
+      project.add_developer(current_user)
+    end
+
+    it do
+      expect_allowed(:read_group, :read_label)
+    end
+
+    context 'in subgroups', :nested_groups do
+      let(:subgroup) { create(:group, :private, parent: group) }
+      let(:project) { create(:project, namespace: subgroup) }
+
+      it do
+        expect_allowed(:read_group, :read_label)
+      end
+    end
+  end
+
   context 'guests' do
     let(:current_user) { guest }