Fix “Share lock” policy for deeply nested groups

This commit is contained in:
Michael Kozono 2017-09-05 10:38:24 -07:00
parent e0fb7766bc
commit c7e17abd26
2 changed files with 36 additions and 10 deletions

View file

@ -16,7 +16,7 @@ class GroupPolicy < BasePolicy
condition(:nested_groups_supported, scope: :global) { Group.supports_nested_groups? }
condition(:parent_share_locked) { @subject.has_parent? && @subject.parent.share_with_group_lock? }
condition(:parent_owner) { @subject.has_parent? && @subject.parent.has_owner?(@user) }
condition(:can_change_parent_share_with_group_lock) { @subject.has_parent? && can?(:change_share_with_group_lock, @subject.parent) }
condition(:has_projects) do
GroupProjectsFinder.new(group: @subject, current_user: @user).execute.any?
@ -57,7 +57,7 @@ class GroupPolicy < BasePolicy
rule { ~can?(:view_globally) }.prevent :request_access
rule { has_access }.prevent :request_access
rule { owner & (~parent_share_locked | parent_owner) }.enable :change_share_with_group_lock
rule { owner & (~parent_share_locked | can_change_parent_share_with_group_lock) }.enable :change_share_with_group_lock
def access_level
return GroupMember::NO_ACCESS if @user.nil?

View file

@ -248,19 +248,45 @@ describe GroupPolicy do
let(:group) { create(:group, parent: parent) }
context 'when the parent share_with_group_lock is enabled' do
let(:parent) { create(:group, share_with_group_lock: true) }
let(:current_user) { owner }
context 'when current_user owns the parent' do
before do
parent.add_owner(owner)
end
context 'when the group has a grandparent' do
let(:grandparent) { create(:group, share_with_group_lock: true) }
let(:parent) { create(:group, share_with_group_lock: true, parent: grandparent) }
it { expect_allowed(:change_share_with_group_lock) }
context 'and the grandparent share_with_group_lock is enabled' do
context 'when current_user owns the grandparent' do
before do
grandparent.add_owner(owner)
end
it { expect_allowed(:change_share_with_group_lock) }
end
context 'when current_user owns the parent but not the grandparent' do
before do
parent.add_owner(owner)
end
it { expect_disallowed(:change_share_with_group_lock) }
end
end
end
context 'when current_user owns the group but not the parent' do
it { expect_disallowed(:change_share_with_group_lock) }
context 'when the group does not have a grandparent' do
let(:parent) { create(:group, share_with_group_lock: true) }
context 'when current_user owns the parent' do
before do
parent.add_owner(owner)
end
it { expect_allowed(:change_share_with_group_lock) }
end
context 'when current_user owns the group but not the parent' do
it { expect_disallowed(:change_share_with_group_lock) }
end
end
end