Rework admin_group_member policy to allow owners

The change will check for unlock_membership_to_ldap and the instance settings.

Rework admin_group_member policy to allow owners
The change will check for unlock_membership_to_ldap and the instance settings.
46fb3939 · Sebastian Arcila Valenzuela · 972e5e68 · 46fb3939 · 46fb3939
Commit 46fb3939 authored Mar 04, 2020 by Sebastian Arcila Valenzuela
Hide whitespace changes
Inline Side-by-side

Showing with 49 additions and 2 deletions

ee/app/policies/ee/group_policy.rb ee/app/policies/ee/group_policy.rb +13 -2

ee/spec/policies/group_policy_spec.rb ee/spec/policies/group_policy_spec.rb +36 -0

No files found.
--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -30,6 +30,10 @@ module EE
        ::Gitlab::CurrentSettings.lock_memberships_to_ldap?
      end

+      condition(:owners_bypass_ldap_lock) do
+        ldap_lock_bypassable?
+      end
+
      condition(:security_dashboard_enabled) do
        @subject.feature_available?(:security_dashboard)
      end
@@ -132,13 +136,14 @@ module EE

      rule { admin | (can_owners_manage_ldap & owner) }.enable :admin_ldap_group_links

-      rule { ldap_synced }.prevent :admin_group_member
+
+      rule { ldap_synced & ~owners_bypass_ldap_lock }.prevent :admin_group_member

      rule { ldap_synced & (admin | owner) }.enable :update_group_member

      rule { ldap_synced & (admin | (can_owners_manage_ldap & owner)) }.enable :override_group_member

-      rule { memberships_locked_to_ldap & ~admin }.policy do
+      rule { memberships_locked_to_ldap & ~admin & ~owners_bypass_ldap_lock }.policy do
        prevent :admin_group_member
        prevent :update_group_member
        prevent :override_group_member
@@ -179,6 +184,12 @@ module EE
      super
    end

+    def ldap_lock_bypassable?
+      return false unless ::Gitlab::CurrentSettings.allow_group_owners_to_manage_ldap?
+
+      !!subject.unlock_membership_to_ldap? && subject.owned_by?(user)
+    end
+
    def sso_enforcement_prevents_access?
      return false unless subject.persisted?
      return false if user&.admin?

--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -375,6 +375,42 @@ describe GroupPolicy do
        it { is_expected.not_to be_allowed(:override_group_member) }
        it { is_expected.not_to be_allowed(:update_group_member) }
      end
+
+      context 'when LDAP sync is enabled' do
+        let(:current_user) { owner }
+
+        before do
+          allow(group).to receive(:ldap_synced?).and_return(true)
+        end
+
+        context 'Group Owner disable membership lock' do
+          before do
+            group.update!(unlock_membership_to_ldap: true)
+          end
+
+          it { is_expected.to be_allowed(:admin_group_member) }
+          it { is_expected.to be_allowed(:override_group_member) }
+          it { is_expected.to be_allowed(:update_group_member) }
+        end
+
+        context 'Group Owner keeps the membership lock' do
+          before do
+            group.update!(unlock_membership_to_ldap: false)
+          end
+
+          it { is_expected.not_to be_allowed(:admin_group_member) }
+          it { is_expected.not_to be_allowed(:override_group_member) }
+          it { is_expected.not_to be_allowed(:update_group_member) }
+        end
+      end
+
+      context 'when LDAP sync is disable' do
+        let(:current_user) { owner }
+
+        it { is_expected.not_to be_allowed(:admin_group_member) }
+        it { is_expected.not_to be_allowed(:override_group_member) }
+        it { is_expected.not_to be_allowed(:update_group_member) }
+      end
    end
  end