Fix “Share lock” policy for deeply nested groups
This commit is contained in:
parent
e0fb7766bc
commit
c7e17abd26
2 changed files with 36 additions and 10 deletions
|
@ -16,7 +16,7 @@ class GroupPolicy < BasePolicy
|
||||||
condition(:nested_groups_supported, scope: :global) { Group.supports_nested_groups? }
|
condition(:nested_groups_supported, scope: :global) { Group.supports_nested_groups? }
|
||||||
|
|
||||||
condition(:parent_share_locked) { @subject.has_parent? && @subject.parent.share_with_group_lock? }
|
condition(:parent_share_locked) { @subject.has_parent? && @subject.parent.share_with_group_lock? }
|
||||||
condition(:parent_owner) { @subject.has_parent? && @subject.parent.has_owner?(@user) }
|
condition(:can_change_parent_share_with_group_lock) { @subject.has_parent? && can?(:change_share_with_group_lock, @subject.parent) }
|
||||||
|
|
||||||
condition(:has_projects) do
|
condition(:has_projects) do
|
||||||
GroupProjectsFinder.new(group: @subject, current_user: @user).execute.any?
|
GroupProjectsFinder.new(group: @subject, current_user: @user).execute.any?
|
||||||
|
@ -57,7 +57,7 @@ class GroupPolicy < BasePolicy
|
||||||
rule { ~can?(:view_globally) }.prevent :request_access
|
rule { ~can?(:view_globally) }.prevent :request_access
|
||||||
rule { has_access }.prevent :request_access
|
rule { has_access }.prevent :request_access
|
||||||
|
|
||||||
rule { owner & (~parent_share_locked | parent_owner) }.enable :change_share_with_group_lock
|
rule { owner & (~parent_share_locked | can_change_parent_share_with_group_lock) }.enable :change_share_with_group_lock
|
||||||
|
|
||||||
def access_level
|
def access_level
|
||||||
return GroupMember::NO_ACCESS if @user.nil?
|
return GroupMember::NO_ACCESS if @user.nil?
|
||||||
|
|
|
@ -248,19 +248,45 @@ describe GroupPolicy do
|
||||||
let(:group) { create(:group, parent: parent) }
|
let(:group) { create(:group, parent: parent) }
|
||||||
|
|
||||||
context 'when the parent share_with_group_lock is enabled' do
|
context 'when the parent share_with_group_lock is enabled' do
|
||||||
let(:parent) { create(:group, share_with_group_lock: true) }
|
|
||||||
let(:current_user) { owner }
|
let(:current_user) { owner }
|
||||||
|
|
||||||
context 'when current_user owns the parent' do
|
context 'when the group has a grandparent' do
|
||||||
before do
|
let(:grandparent) { create(:group, share_with_group_lock: true) }
|
||||||
parent.add_owner(owner)
|
let(:parent) { create(:group, share_with_group_lock: true, parent: grandparent) }
|
||||||
end
|
|
||||||
|
|
||||||
it { expect_allowed(:change_share_with_group_lock) }
|
context 'and the grandparent share_with_group_lock is enabled' do
|
||||||
|
context 'when current_user owns the grandparent' do
|
||||||
|
before do
|
||||||
|
grandparent.add_owner(owner)
|
||||||
|
end
|
||||||
|
|
||||||
|
it { expect_allowed(:change_share_with_group_lock) }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when current_user owns the parent but not the grandparent' do
|
||||||
|
before do
|
||||||
|
parent.add_owner(owner)
|
||||||
|
end
|
||||||
|
|
||||||
|
it { expect_disallowed(:change_share_with_group_lock) }
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context 'when current_user owns the group but not the parent' do
|
context 'when the group does not have a grandparent' do
|
||||||
it { expect_disallowed(:change_share_with_group_lock) }
|
let(:parent) { create(:group, share_with_group_lock: true) }
|
||||||
|
|
||||||
|
context 'when current_user owns the parent' do
|
||||||
|
before do
|
||||||
|
parent.add_owner(owner)
|
||||||
|
end
|
||||||
|
|
||||||
|
it { expect_allowed(:change_share_with_group_lock) }
|
||||||
|
end
|
||||||
|
|
||||||
|
context 'when current_user owns the group but not the parent' do
|
||||||
|
it { expect_disallowed(:change_share_with_group_lock) }
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue