Add ldap settings controller

This controller will for now just handle the status change of
lock_membership_to_ldap
parent 82d535cc
# frozen_string_literal: true
class Groups::LdapSettingsController < Groups::ApplicationController
before_action :group
before_action :require_ldap_enabled
before_action :authorize_admin_group!
before_action :authorize_manage_ldap_settings!
def update
if @group.update(ldap_settings_params)
redirect_back_or_default(default: group_ldap_group_links_path(@group), options: { notice: _('LDAP settings updated') })
else
redirect_back_or_default(default: group_ldap_group_links_path(@group), options: { alert: _('Could not update the LDAP settings') })
end
end
private
def authorize_manage_ldap_settings!
render_404 unless Feature.enabled?(:ldap_settings_unlock_groups_by_owners)
render_404 unless can?(current_user, :admin_ldap_group_settings, group)
end
def require_ldap_enabled
render_404 unless Gitlab::Auth::Ldap::Config.enabled?
end
def ldap_settings_params
attrs = %i[unlock_membership_to_ldap]
params.require(:group).permit(attrs)
end
end
...@@ -187,6 +187,7 @@ module EE ...@@ -187,6 +187,7 @@ module EE
end end
def ldap_lock_bypassable? def ldap_lock_bypassable?
return false unless ::Feature.enabled?(:ldap_settings_unlock_groups_by_owners)
return false unless ::Gitlab::CurrentSettings.allow_group_owners_to_manage_ldap? return false unless ::Gitlab::CurrentSettings.allow_group_owners_to_manage_ldap?
!!subject.unlock_membership_to_ldap? && subject.owned_by?(user) !!subject.unlock_membership_to_ldap? && subject.owned_by?(user)
......
...@@ -42,6 +42,8 @@ constraints(::Constraints::GroupUrlConstrainer.new) do ...@@ -42,6 +42,8 @@ constraints(::Constraints::GroupUrlConstrainer.new) do
end end
end end
resource :ldap_settings, only: [:update]
resource :issues_analytics, only: [:show] resource :issues_analytics, only: [:show]
resource :insights, only: [:show], trailing_slash: true do resource :insights, only: [:show], trailing_slash: true do
......
# frozen_string_literal: true
require 'spec_helper'
describe Groups::LdapSettingsController do
include LdapHelpers
let(:group) { create(:group) }
let(:user) { create(:user) }
before do
stub_ldap_setting(enabled: true)
stub_feature_flags(ldap_settings_unlock_groups_by_owners: true)
sign_in(user)
end
describe 'PUT #update' do
describe 'as an owner' do
before do
group.add_owner(user)
end
describe 'admin allows owners to modify ldap settings' do
before do
allow(::Gitlab::CurrentSettings).to receive(:allow_group_owners_to_manage_ldap?).and_return(true)
end
it 'changes the value of unlock_membership_to_ldap' do
expect do
put :update, params: { group_id: group.to_param, group: { unlock_membership_to_ldap: true } }
end.to change { group.reload.unlock_membership_to_ldap }
end
describe 'ldap_settings_unlock_groups_by_owners is disabled' do
before do
stub_feature_flags(ldap_settings_unlock_groups_by_owners: false)
end
it 'does not change the value of the unlock_membership_to_ldap' do
expect do
put :update, params: { group_id: group.to_param, group: { unlock_membership_to_ldap: true } }
end.not_to change { group.reload.unlock_membership_to_ldap }
end
end
end
describe 'admin disallow owners to modify ldap settings' do
before do
allow(::Gitlab::CurrentSettings).to receive(:allow_group_owners_to_manage_ldap?).and_return(false)
end
it 'does not change the value of unlock_membership_to_ldap' do
expect do
put :update, params: { group_id: group.to_param, group: { unlock_membership_to_ldap: true } }
end.not_to change { group.reload.unlock_membership_to_ldap }
end
end
end
describe 'as a maintainer' do
before do
group.add_maintainer(user)
allow(::Gitlab::CurrentSettings).to receive(:allow_group_owners_to_manage_ldap?).and_return(true)
end
it 'does not change the value of unlock_membership_to_ldap' do
expect do
put :update, params: { group_id: group.to_param, group: { unlock_membership_to_ldap: true } }
end.not_to change { group.reload.unlock_membership_to_ldap }
end
end
end
end
...@@ -396,11 +396,22 @@ describe GroupPolicy do ...@@ -396,11 +396,22 @@ describe GroupPolicy do
context 'Group Owner disable membership lock' do context 'Group Owner disable membership lock' do
before do before do
group.update!(unlock_membership_to_ldap: true) group.update!(unlock_membership_to_ldap: true)
stub_feature_flags(ldap_settings_unlock_groups_by_owners: true)
end end
it { is_expected.to be_allowed(:admin_group_member) } it { is_expected.to be_allowed(:admin_group_member) }
it { is_expected.to be_allowed(:override_group_member) } it { is_expected.to be_allowed(:override_group_member) }
it { is_expected.to be_allowed(:update_group_member) } it { is_expected.to be_allowed(:update_group_member) }
context 'ldap_settings_unlock_groups_by_owners is disabled' do
before do
stub_feature_flags(ldap_settings_unlock_groups_by_owners: false)
end
it { is_expected.to be_disallowed(:admin_group_member) }
it { is_expected.to be_disallowed(:override_group_member) }
it { is_expected.to be_disallowed(:update_group_member) }
end
end end
context 'Group Owner keeps the membership lock' do context 'Group Owner keeps the membership lock' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment