Commit 32ddc3fe authored by Stan Hu's avatar Stan Hu

Allow a member to have an access level equal to parent group

Suppose you have this configuration:

1. Subgroup `hello/world`
2. Subgroup `hello/mergers`.
3. Project `hello/world/my-project` has invited group `hello/world` to
access protected branches.
4. The rule allows the group to merge but no one can push.
5. User `newuser` has Owner access to the parent group `hello`.

Previously, there was no way for the user `newuser` to be added to the
`hello/mergers` group since the validation only allowed a user to be
added at a higher access level.

Since membership in a subgroup confers certain access rights, such as
being able to merge or push code to protected branches, we have to
loosen the validation and allow someone to be added at an equal level
granted by the parent group.

Closes https://gitlab.com/gitlab-org/gitlab-ee/issues/11323
parent 9f592604
...@@ -446,10 +446,10 @@ class Member < ApplicationRecord ...@@ -446,10 +446,10 @@ class Member < ApplicationRecord
end end
def higher_access_level_than_group def higher_access_level_than_group
if highest_group_member && highest_group_member.access_level >= access_level if highest_group_member && highest_group_member.access_level > access_level
error_parameters = { access: highest_group_member.human_access, group_name: highest_group_member.group.name } error_parameters = { access: highest_group_member.human_access, group_name: highest_group_member.group.name }
errors.add(:access_level, s_("should be higher than %{access} inherited membership from group %{group_name}") % error_parameters) errors.add(:access_level, s_("should be greater than or equal to %{access} inherited membership from group %{group_name}") % error_parameters)
end end
end end
end end
---
title: Allow a member to have an access level equal to parent group
merge_request: 27913
author:
type: fixed
...@@ -11385,7 +11385,7 @@ msgstr[1] "" ...@@ -11385,7 +11385,7 @@ msgstr[1] ""
msgid "score" msgid "score"
msgstr "" msgstr ""
msgid "should be higher than %{access} inherited membership from group %{group_name}" msgid "should be greater than or equal to %{access} inherited membership from group %{group_name}"
msgstr "" msgstr ""
msgid "show less" msgid "show less"
......
...@@ -70,6 +70,16 @@ describe Member do ...@@ -70,6 +70,16 @@ describe Member do
expect(child_member).not_to be_valid expect(child_member).not_to be_valid
end end
# Membership in a subgroup confers certain access rights, such as being
# able to merge or push code to protected branches.
it "is valid with an equal level" do
child_member.access_level = GroupMember::DEVELOPER
child_member.validate
expect(child_member).to be_valid
end
it "is valid with a higher level" do it "is valid with a higher level" do
child_member.access_level = GroupMember::MAINTAINER child_member.access_level = GroupMember::MAINTAINER
......
...@@ -236,7 +236,7 @@ describe API::Members do ...@@ -236,7 +236,7 @@ describe API::Members do
params: { user_id: stranger.id, access_level: Member::REPORTER } params: { user_id: stranger.id, access_level: Member::REPORTER }
expect(response).to have_gitlab_http_status(400) expect(response).to have_gitlab_http_status(400)
expect(json_response['message']['access_level']).to eq(["should be higher than Developer inherited membership from group #{parent.name}"]) expect(json_response['message']['access_level']).to eq(["should be greater than or equal to Developer inherited membership from group #{parent.name}"])
end end
it 'creates the member if group level is lower', :nested_groups do it 'creates the member if group level is lower', :nested_groups do
......
...@@ -41,7 +41,7 @@ shared_examples_for 'inherited access level as a member of entity' do ...@@ -41,7 +41,7 @@ shared_examples_for 'inherited access level as a member of entity' do
member.update(access_level: Gitlab::Access::REPORTER) member.update(access_level: Gitlab::Access::REPORTER)
expect(member.errors.full_messages).to eq(["Access level should be higher than Developer inherited membership from group #{parent_entity.name}"]) expect(member.errors.full_messages).to eq(["Access level should be greater than or equal to Developer inherited membership from group #{parent_entity.name}"])
end end
it 'allows changing the level from a non existing member' do it 'allows changing the level from a non existing member' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment