From f9bcb9632c1f7f5c5c72d50a90289baa2af762f5 Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Tue, 28 Jul 2015 16:32:15 +0200
Subject: [PATCH] Add specific ability for managing group members

---
 app/controllers/groups/group_members_controller.rb     | 7 +++++++
 app/models/ability.rb                                  | 5 +++--
 app/views/dashboard/groups/index.html.haml             | 7 ++++---
 app/views/groups/group_members/_group_member.html.haml | 2 +-
 app/views/groups/group_members/index.html.haml         | 2 +-
 5 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/app/controllers/groups/group_members_controller.rb b/app/controllers/groups/group_members_controller.rb
index 040255f08e6..b9c428a964f 100644
--- a/app/controllers/groups/group_members_controller.rb
+++ b/app/controllers/groups/group_members_controller.rb
@@ -21,6 +21,8 @@ class Groups::GroupMembersController < Groups::ApplicationController
   end
 
   def create
+    return render_403 unless can?(current_user, :admin_group_member, @group)
+
     @group.add_users(params[:user_ids].split(','), params[:access_level], current_user)
 
     redirect_to group_group_members_path(@group), notice: 'Users were successfully added.'
@@ -28,6 +30,9 @@ class Groups::GroupMembersController < Groups::ApplicationController
 
   def update
     @member = @group.group_members.find(params[:id])
+
+    return render_403 unless can?(current_user, :update_group_member, @member)
+
     @member.update_attributes(member_params)
   end
 
@@ -46,6 +51,8 @@ class Groups::GroupMembersController < Groups::ApplicationController
   end
 
   def resend_invite
+    return render_403 unless can?(current_user, :admin_group_member, @group)
+
     redirect_path = group_group_members_path(@group)
 
     @group_member = @group.group_members.find(params[:id])
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 6a8f683bc89..f8e5afa9b01 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -233,7 +233,8 @@ class Ability
       if group.has_owner?(user) || user.admin?
         rules.push(*[
           :admin_group,
-          :admin_namespace
+          :admin_namespace,
+          :admin_group_member
         ])
       end
 
@@ -295,7 +296,7 @@ class Ability
       rules = []
       target_user = subject.user
       group = subject.group
-      can_manage = group_abilities(user, group).include?(:admin_group)
+      can_manage = group_abilities(user, group).include?(:admin_group_member)
 
       if can_manage && (user != target_user)
         rules << :update_group_member
diff --git a/app/views/dashboard/groups/index.html.haml b/app/views/dashboard/groups/index.html.haml
index 0a354373b9b..b75c11795bd 100644
--- a/app/views/dashboard/groups/index.html.haml
+++ b/app/views/dashboard/groups/index.html.haml
@@ -23,9 +23,10 @@
               %i.fa.fa-cogs
               Settings
 
-          = link_to leave_group_group_members_path(group), data: { confirm: leave_group_message(group.name) }, method: :delete, class: "btn-sm btn btn-grouped", title: 'Leave this group' do
-            %i.fa.fa-sign-out
-            Leave
+          - if can?(current_user, :destroy_group_member, group_member)
+            = link_to leave_group_group_members_path(group), data: { confirm: leave_group_message(group.name) }, method: :delete, class: "btn-sm btn btn-grouped", title: 'Leave this group' do
+              %i.fa.fa-sign-out
+              Leave
 
         = image_tag group_icon(group), class: "avatar s40 avatar-tile hidden-xs"
         = link_to group, class: 'group-name' do
diff --git a/app/views/groups/group_members/_group_member.html.haml b/app/views/groups/group_members/_group_member.html.haml
index b460e0ff59e..acc7f8b28c2 100644
--- a/app/views/groups/group_members/_group_member.html.haml
+++ b/app/views/groups/group_members/_group_member.html.haml
@@ -24,7 +24,7 @@
           = link_to member.created_by.name, user_path(member.created_by)
         = time_ago_with_tooltip(member.created_at)
 
-      - if show_controls && can?(current_user, :admin_group, @group)
+      - if show_controls && can?(current_user, :admin_group_member, member)
         = link_to resend_invite_group_group_member_path(@group, member), method: :post, class: "btn-xs btn", title: 'Resend invite' do
           Resend invite
 
diff --git a/app/views/groups/group_members/index.html.haml b/app/views/groups/group_members/index.html.haml
index a70d1ff0697..dba395cc8fa 100644
--- a/app/views/groups/group_members/index.html.haml
+++ b/app/views/groups/group_members/index.html.haml
@@ -17,7 +17,7 @@
       = search_field_tag :search, params[:search], { placeholder: 'Find existing member by name', class: 'form-control search-text-input' }
     = button_tag 'Search', class: 'btn'
 
-  - if current_user && current_user.can?(:admin_group, @group)
+  - if current_user && current_user.can?(:admin_group_member, @group)
     .pull-right
       = button_tag class: 'btn btn-new js-toggle-button', type: 'button' do
         Add members