Disable project/group sharing when User Cap set

Disable both project and group sharing with other groups whenever a User Cap is set for this group (or this group's root ancestor). Changelog: added

Disable project/group sharing when User Cap set
Disable both project and group sharing with other groups whenever a User Cap is set for this group (or this group's root ancestor). Changelog: added
108f4f0a · Etienne Baqué · Matthias Käppler · 2ad17865 · 108f4f0a · 108f4f0a
Commit 108f4f0a authored Aug 10, 2021 by Etienne Baqué Committed by Matthias Käppler Aug 10, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 98 additions and 0 deletions

app/models/namespace_setting.rb app/models/namespace_setting.rb +21 -0

spec/models/namespace_setting_spec.rb spec/models/namespace_setting_spec.rb +77 -0

No files found.
--- a/app/models/namespace_setting.rb
+++ b/app/models/namespace_setting.rb
@@ -11,6 +11,9 @@ class NamespaceSetting < ApplicationRecord
  validate :allow_mfa_for_group
  validate :allow_resource_access_token_creation_for_group

+  before_save :set_prevent_sharing_groups_outside_hierarchy, if: -> { user_cap_enabled? }
+  after_save :disable_project_sharing!, if: -> { user_cap_enabled? }
+
  before_validation :normalize_default_branch_name

  NAMESPACE_SETTINGS_PARAMS = [:default_branch_name, :delayed_project_removal,
@@ -19,6 +22,12 @@ class NamespaceSetting < ApplicationRecord

  self.primary_key = :namespace_id

+  def prevent_sharing_groups_outside_hierarchy
+    return super if namespace.root?
+
+    namespace.root_ancestor.prevent_sharing_groups_outside_hierarchy
+  end
+
  private

  def normalize_default_branch_name
@@ -48,6 +57,18 @@ class NamespaceSetting < ApplicationRecord
      errors.add(:resource_access_token_creation_allowed, _('is not allowed since the group is not top-level group.'))
    end
  end
+
+  def set_prevent_sharing_groups_outside_hierarchy
+    self.prevent_sharing_groups_outside_hierarchy = true
+  end
+
+  def disable_project_sharing!
+    namespace.update_attribute(:share_with_group_lock, true)
+  end
+
+  def user_cap_enabled?
+    new_user_signups_cap.present? && namespace.root?
+  end
 end

 NamespaceSetting.prepend_mod_with('NamespaceSetting')
--- a/spec/models/namespace_setting_spec.rb
+++ b/spec/models/namespace_setting_spec.rb
@@ -106,4 +106,81 @@ RSpec.describe NamespaceSetting, type: :model do
      end
    end
  end
+
+  describe '#prevent_sharing_groups_outside_hierarchy' do
+    let(:settings) { create(:namespace_settings, prevent_sharing_groups_outside_hierarchy: true) }
+    let!(:group) { create(:group, parent: parent, namespace_settings: settings ) }
+
+    subject(:group_sharing_setting) { settings.prevent_sharing_groups_outside_hierarchy }
+
+    context 'when this namespace is a root ancestor' do
+      let(:parent) { nil }
+
+      it 'returns the actual stored value' do
+        expect(group_sharing_setting).to be_truthy
+      end
+    end
+
+    context 'when this namespace is a descendant' do
+      let(:parent) { create(:group) }
+
+      it 'returns the value stored for the parent settings' do
+        expect(group_sharing_setting).to eq(parent.namespace_settings.prevent_sharing_groups_outside_hierarchy)
+        expect(group_sharing_setting).to be_falsey
+      end
+    end
+  end
+
+  describe 'hooks related to group user cap update' do
+    let(:settings) { create(:namespace_settings, new_user_signups_cap: user_cap) }
+    let(:group) { create(:group, namespace_settings: settings) }
+
+    before do
+      allow(group).to receive(:root?).and_return(true)
+    end
+
+    context 'when updating a group with a user cap' do
+      let(:user_cap) { nil }
+
+      it 'also sets share_with_group_lock and prevent_sharing_groups_outside_hierarchy to true' do
+        expect(group.new_user_signups_cap).to be_nil
+        expect(group.share_with_group_lock).to be_falsey
+        expect(settings.prevent_sharing_groups_outside_hierarchy).to be_falsey
+
+        settings.update!(new_user_signups_cap: 10)
+        group.reload
+
+        expect(group.new_user_signups_cap).to eq(10)
+        expect(group.share_with_group_lock).to be_truthy
+        expect(settings.reload.prevent_sharing_groups_outside_hierarchy).to be_truthy
+      end
+
+      it 'has share_with_group_lock and prevent_sharing_groups_outside_hierarchy returning true for descendent groups' do
+        descendent = create(:group, parent: group)
+        desc_settings = descendent.namespace_settings
+
+        expect(descendent.share_with_group_lock).to be_falsey
+        expect(desc_settings.prevent_sharing_groups_outside_hierarchy).to be_falsey
+
+        settings.update!(new_user_signups_cap: 10)
+
+        expect(descendent.reload.share_with_group_lock).to be_truthy
+        expect(desc_settings.reload.prevent_sharing_groups_outside_hierarchy).to be_truthy
+      end
+    end
+
+    context 'when removing a user cap from namespace settings' do
+      let(:user_cap) { 10 }
+
+      it 'leaves share_with_group_lock and prevent_sharing_groups_outside_hierarchy set to true to the related group' do
+        expect(group.share_with_group_lock).to be_truthy
+        expect(settings.prevent_sharing_groups_outside_hierarchy).to be_truthy
+
+        settings.update!(new_user_signups_cap: nil)
+
+        expect(group.reload.share_with_group_lock).to be_truthy
+        expect(settings.reload.prevent_sharing_groups_outside_hierarchy).to be_truthy
+      end
+    end
+  end
 end