Commit 5311b36e authored by GitLab Release Tools Bot's avatar GitLab Release Tools Bot

Merge branch 'security-pb-protected-tags-remove-group' into 'master'

Remove protected tag access when group is removed

Closes #2

See merge request gitlab-org/security/gitlab!8
parents e3212b93 8dffe619
......@@ -15,6 +15,9 @@ module EE
project.protected_branches.merge_access_by_group(group).destroy_all # rubocop: disable DestroyAll
project.protected_branches.push_access_by_group(group).destroy_all # rubocop: disable DestroyAll
# For protected tags
project.protected_tags.create_access_by_group(group).delete_all
# For protected environments
project.protected_environments.deploy_access_levels_by_group(group).delete_all
end
......
---
title: Remove protected tag access when group is removed
merge_request:
author:
type: security
......@@ -13,16 +13,46 @@ describe ProjectGroupLink do
project.add_developer(user)
end
it 'removes related protected environment deploy access levels' do
params = attributes_for(:protected_environment,
deploy_access_levels_attributes: [{ group_id: group.id }, { user_id: user.id }])
shared_examples_for 'deleted related access levels' do |access_level_class|
it "removes related #{access_level_class}" do
expect { project_group_link.destroy! }.to change(access_level_class, :count).by(-1)
expect(access_levels.find_by_group_id(group)).to be_nil
expect(access_levels.find_by_user_id(user)).to be_persisted
end
end
context 'protected tags' do
let!(:protected_tag) do
ProtectedTags::CreateService.new(
project,
project.owner,
attributes_for(
:protected_tag,
create_access_levels_attributes: [{ group_id: group.id }, { user_id: user.id }]
)
).execute
end
protected_environment = ProtectedEnvironments::CreateService.new(project, user, params).execute
let(:access_levels) { protected_tag.create_access_levels }
it_behaves_like 'deleted related access levels', ProtectedTag::CreateAccessLevel
end
context 'protected environments' do
let!(:protected_environment) do
ProtectedEnvironments::CreateService.new(
project,
project.owner,
attributes_for(
:protected_environment,
deploy_access_levels_attributes: [{ group_id: group.id }, { user_id: user.id }]
)
).execute
end
expect { project_group_link.destroy! }.to change(ProtectedEnvironment::DeployAccessLevel, :count).by(-1)
let(:access_levels) { protected_environment.deploy_access_levels }
expect(protected_environment.deploy_access_levels.find_by_group_id(group)).to be_nil
expect(protected_environment.deploy_access_levels.find_by_user_id(user)).to be_persisted
it_behaves_like 'deleted related access levels', ProtectedEnvironment::DeployAccessLevel
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment