Commit 05f331f3 authored by Douwe Maan's avatar Douwe Maan Committed by Dmitriy Zaporozhets

Fix access to projects shared with a nested group

Signed-off-by: default avatarDmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
parent 71fbbc9d
......@@ -474,7 +474,7 @@ class User < ActiveRecord::Base
Group.member_descendants(id)
end
def nested_projects
def nested_groups_projects
Project.joins(:namespace).where('namespaces.parent_id IS NOT NULL').
member_descendants(id)
end
......
......@@ -115,11 +115,23 @@ module Users
# Returns a union query of projects that the user is authorized to access
def project_authorizations_union
relations = [
# Personal projects
user.personal_projects.select("#{user.id} AS user_id, projects.id AS project_id, #{Gitlab::Access::MASTER} AS access_level"),
user.groups_projects.select_for_project_authorization,
# Projects the user is a member of
user.projects.select_for_project_authorization,
# Projects of groups the user is a member of
user.groups_projects.select_for_project_authorization,
# Projects of subgroups of groups the user is a member of
user.nested_groups_projects.select_for_project_authorization,
# Projects shared with groups the user is a member of
user.groups.joins(:shared_projects).select_for_project_authorization,
user.nested_projects.select_for_project_authorization
# Projects shared with subgroups of groups the user is a member of
user.nested_groups.joins(:shared_projects).select_for_project_authorization
]
Gitlab::SQL::Union.new(relations)
......
......@@ -1429,7 +1429,7 @@ describe User, models: true do
it { expect(user.nested_groups).to eq([nested_group]) }
end
describe '#nested_projects' do
describe '#nested_groups_projects' do
let!(:user) { create(:user) }
let!(:group) { create(:group) }
let!(:nested_group) { create(:group, parent: group) }
......@@ -1444,7 +1444,7 @@ describe User, models: true do
other_project.add_developer(create(:user))
end
it { expect(user.nested_projects).to eq([nested_project]) }
it { expect(user.nested_groups_projects).to eq([nested_project]) }
end
describe '#refresh_authorized_projects', redis: true do
......
......@@ -131,6 +131,80 @@ describe Users::RefreshAuthorizedProjectsService do
it 'sets the values to the access levels' do
expect(hash.values).to eq([Gitlab::Access::MASTER])
end
context 'personal projects' do
it 'includes the project with the right access level' do
expect(hash[project.id]).to eq(Gitlab::Access::MASTER)
end
end
context 'projects the user is a member of' do
let!(:other_project) { create(:empty_project) }
before do
other_project.team.add_reporter(user)
end
it 'includes the project with the right access level' do
expect(hash[other_project.id]).to eq(Gitlab::Access::REPORTER)
end
end
context 'projects of groups the user is a member of' do
let(:group) { create(:group) }
let!(:other_project) { create(:project, group: group) }
before do
group.add_owner(user)
end
it 'includes the project with the right access level' do
expect(hash[other_project.id]).to eq(Gitlab::Access::OWNER)
end
end
context 'projects of subgroups of groups the user is a member of' do
let(:group) { create(:group) }
let(:nested_group) { create(:group, parent: group) }
let!(:other_project) { create(:project, group: nested_group) }
before do
group.add_master(user)
end
it 'includes the project with the right access level' do
expect(hash[other_project.id]).to eq(Gitlab::Access::MASTER)
end
end
context 'projects shared with groups the user is a member of' do
let(:group) { create(:group) }
let(:other_project) { create(:empty_project) }
let!(:project_group_link) { create(:project_group_link, project: other_project, group: group, group_access: Gitlab::Access::GUEST) }
before do
group.add_master(user)
end
it 'includes the project with the right access level' do
expect(hash[other_project.id]).to eq(Gitlab::Access::GUEST)
end
end
context 'projects shared with subgroups of groups the user is a member of' do
let(:group) { create(:group) }
let(:nested_group) { create(:group, parent: group) }
let(:other_project) { create(:empty_project) }
let!(:project_group_link) { create(:project_group_link, project: other_project, group: nested_group, group_access: Gitlab::Access::DEVELOPER) }
before do
group.add_master(user)
end
it 'includes the project with the right access level' do
expect(hash[other_project.id]).to eq(Gitlab::Access::DEVELOPER)
end
end
end
describe '#current_authorizations_per_project' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment