• Alex Kalderimis's avatar
    Allow more actions on group members · 55ec5df3
    Alex Kalderimis authored
    Specifically, we want to allow `:read_group`, without which
    certain policy checks will fail.
    
    This was implemented in support of
    https://gitlab.com/gitlab-org/gitlab/-/merge_requests/40088, but can
    be extracted in advance, and fixes a distinct bug.
    
    The basic assumption of policies is that if `A` delegates to `B` and
    user `U` is allowed to perform action `x` on `B`, then that user is
    allowed to perform that action on `A` (i.e. policies are transitive).
    
    The `prevent_all` call in this policy breaks that assumption, which is
    relied on by GraphQL authorization to hold. Without this fix, the
    following situation is possible:
    
    - there exists a group `G`, which is public
    - there exists a membership of a user `U` in `G`
    - `Ability.allowed?(nil, :read_group, G) === true`
    - `Ability.allowed?(nil, :read_group, U) === false`
    
    This means that anonymous users cannot read the membership of public
    groups, but they **can** read the membership of public projects.
    55ec5df3
group_members_spec.rb 3.21 KB