Commit 5db229fb authored by Sean McGivern's avatar Sean McGivern

Allow group reporters to manage group labels

Previously, only group masters could do this. However, project reporters can
manage project labels, so there doesn't seem to be any need to restrict group
labels further.

Also, save a query or two by getting a single GroupMember object to find out if
the user is a master or not.
parent 6e82de21
...@@ -222,6 +222,16 @@ class Group < Namespace ...@@ -222,6 +222,16 @@ class Group < Namespace
User.where(id: members_with_parents.select(:user_id)) User.where(id: members_with_parents.select(:user_id))
end end
def max_member_access_for_user(user)
return GroupMember::OWNER if user.admin?
members_with_parents.
where(user_id: user).
reorder(access_level: :desc).
first&.
access_level || GroupMember::NO_ACCESS
end
def mattermost_team_params def mattermost_team_params
max_length = 59 max_length = 59
......
...@@ -200,6 +200,10 @@ class Member < ActiveRecord::Base ...@@ -200,6 +200,10 @@ class Member < ActiveRecord::Base
source_type source_type
end end
def access_field
access_level
end
def invite? def invite?
self.invite_token.present? self.invite_token.present?
end end
......
...@@ -25,10 +25,6 @@ class GroupMember < Member ...@@ -25,10 +25,6 @@ class GroupMember < Member
source source
end end
def access_field
access_level
end
# Because source_type is `Namespace`... # Because source_type is `Namespace`...
def real_source_type def real_source_type
'Group' 'Group'
......
...@@ -79,10 +79,6 @@ class ProjectMember < Member ...@@ -79,10 +79,6 @@ class ProjectMember < Member
end end
end end
def access_field
access_level
end
def project def project
source source
end end
......
...@@ -4,22 +4,25 @@ class GroupPolicy < BasePolicy ...@@ -4,22 +4,25 @@ class GroupPolicy < BasePolicy
return unless @user return unless @user
globally_viewable = @subject.public? || (@subject.internal? && !@user.external?) globally_viewable = @subject.public? || (@subject.internal? && !@user.external?)
member = @subject.users_with_parents.include?(@user) access_level = @subject.max_member_access_for_user(@user)
owner = @user.admin? || @subject.has_owner?(@user) owner = access_level >= GroupMember::OWNER
master = owner || @subject.has_master?(@user) master = access_level >= GroupMember::MASTER
reporter = access_level >= GroupMember::REPORTER
can_read = false can_read = false
can_read ||= globally_viewable can_read ||= globally_viewable
can_read ||= member can_read ||= access_level >= GroupMember::GUEST
can_read ||= @user.admin?
can_read ||= GroupProjectsFinder.new(group: @subject, current_user: @user).execute.any? can_read ||= GroupProjectsFinder.new(group: @subject, current_user: @user).execute.any?
can! :read_group if can_read can! :read_group if can_read
if reporter
can! :admin_label
end
# Only group masters and group owners can create new projects # Only group masters and group owners can create new projects
if master if master
can! :create_projects can! :create_projects
can! :admin_milestones can! :admin_milestones
can! :admin_label
end end
# Only group owner and administrators can admin group # Only group owner and administrators can admin group
...@@ -31,7 +34,7 @@ class GroupPolicy < BasePolicy ...@@ -31,7 +34,7 @@ class GroupPolicy < BasePolicy
can! :create_subgroup if @user.can_create_group can! :create_subgroup if @user.can_create_group
end end
if globally_viewable && @subject.request_access_enabled && !member if globally_viewable && @subject.request_access_enabled && access_level == GroupMember::NO_ACCESS
can! :request_access can! :request_access
end end
end end
......
---
title: Allow group reporters to manage group labels
merge_request:
author:
...@@ -9,11 +9,12 @@ describe GroupPolicy, models: true do ...@@ -9,11 +9,12 @@ describe GroupPolicy, models: true do
let(:admin) { create(:admin) } let(:admin) { create(:admin) }
let(:group) { create(:group) } let(:group) { create(:group) }
let(:reporter_permissions) { [:admin_label] }
let(:master_permissions) do let(:master_permissions) do
[ [
:create_projects, :create_projects,
:admin_milestones, :admin_milestones
:admin_label
] ]
end end
...@@ -42,6 +43,7 @@ describe GroupPolicy, models: true do ...@@ -42,6 +43,7 @@ describe GroupPolicy, models: true do
it do it do
is_expected.to include(:read_group) is_expected.to include(:read_group)
is_expected.not_to include(*reporter_permissions)
is_expected.not_to include(*master_permissions) is_expected.not_to include(*master_permissions)
is_expected.not_to include(*owner_permissions) is_expected.not_to include(*owner_permissions)
end end
...@@ -52,6 +54,7 @@ describe GroupPolicy, models: true do ...@@ -52,6 +54,7 @@ describe GroupPolicy, models: true do
it do it do
is_expected.to include(:read_group) is_expected.to include(:read_group)
is_expected.not_to include(*reporter_permissions)
is_expected.not_to include(*master_permissions) is_expected.not_to include(*master_permissions)
is_expected.not_to include(*owner_permissions) is_expected.not_to include(*owner_permissions)
end end
...@@ -62,6 +65,7 @@ describe GroupPolicy, models: true do ...@@ -62,6 +65,7 @@ describe GroupPolicy, models: true do
it do it do
is_expected.to include(:read_group) is_expected.to include(:read_group)
is_expected.to include(*reporter_permissions)
is_expected.not_to include(*master_permissions) is_expected.not_to include(*master_permissions)
is_expected.not_to include(*owner_permissions) is_expected.not_to include(*owner_permissions)
end end
...@@ -72,6 +76,7 @@ describe GroupPolicy, models: true do ...@@ -72,6 +76,7 @@ describe GroupPolicy, models: true do
it do it do
is_expected.to include(:read_group) is_expected.to include(:read_group)
is_expected.to include(*reporter_permissions)
is_expected.not_to include(*master_permissions) is_expected.not_to include(*master_permissions)
is_expected.not_to include(*owner_permissions) is_expected.not_to include(*owner_permissions)
end end
...@@ -82,6 +87,7 @@ describe GroupPolicy, models: true do ...@@ -82,6 +87,7 @@ describe GroupPolicy, models: true do
it do it do
is_expected.to include(:read_group) is_expected.to include(:read_group)
is_expected.to include(*reporter_permissions)
is_expected.to include(*master_permissions) is_expected.to include(*master_permissions)
is_expected.not_to include(*owner_permissions) is_expected.not_to include(*owner_permissions)
end end
...@@ -92,6 +98,7 @@ describe GroupPolicy, models: true do ...@@ -92,6 +98,7 @@ describe GroupPolicy, models: true do
it do it do
is_expected.to include(:read_group) is_expected.to include(:read_group)
is_expected.to include(*reporter_permissions)
is_expected.to include(*master_permissions) is_expected.to include(*master_permissions)
is_expected.to include(*owner_permissions) is_expected.to include(*owner_permissions)
end end
...@@ -102,14 +109,27 @@ describe GroupPolicy, models: true do ...@@ -102,14 +109,27 @@ describe GroupPolicy, models: true do
it do it do
is_expected.to include(:read_group) is_expected.to include(:read_group)
is_expected.to include(*reporter_permissions)
is_expected.to include(*master_permissions) is_expected.to include(*master_permissions)
is_expected.to include(*owner_permissions) is_expected.to include(*owner_permissions)
end end
end end
describe 'private nested group inherit permissions', :nested_groups do describe 'private nested group use the highest access level from the group and inherited permissions', :nested_groups do
let(:nested_group) { create(:group, :private, parent: group) } let(:nested_group) { create(:group, :private, parent: group) }
before do
nested_group.add_guest(guest)
nested_group.add_guest(reporter)
nested_group.add_guest(developer)
nested_group.add_guest(master)
group.owners.destroy_all
group.add_guest(owner)
nested_group.add_owner(owner)
end
subject { described_class.abilities(current_user, nested_group).to_set } subject { described_class.abilities(current_user, nested_group).to_set }
context 'with no user' do context 'with no user' do
...@@ -117,6 +137,7 @@ describe GroupPolicy, models: true do ...@@ -117,6 +137,7 @@ describe GroupPolicy, models: true do
it do it do
is_expected.not_to include(:read_group) is_expected.not_to include(:read_group)
is_expected.not_to include(*reporter_permissions)
is_expected.not_to include(*master_permissions) is_expected.not_to include(*master_permissions)
is_expected.not_to include(*owner_permissions) is_expected.not_to include(*owner_permissions)
end end
...@@ -127,6 +148,7 @@ describe GroupPolicy, models: true do ...@@ -127,6 +148,7 @@ describe GroupPolicy, models: true do
it do it do
is_expected.to include(:read_group) is_expected.to include(:read_group)
is_expected.not_to include(*reporter_permissions)
is_expected.not_to include(*master_permissions) is_expected.not_to include(*master_permissions)
is_expected.not_to include(*owner_permissions) is_expected.not_to include(*owner_permissions)
end end
...@@ -137,6 +159,7 @@ describe GroupPolicy, models: true do ...@@ -137,6 +159,7 @@ describe GroupPolicy, models: true do
it do it do
is_expected.to include(:read_group) is_expected.to include(:read_group)
is_expected.to include(*reporter_permissions)
is_expected.not_to include(*master_permissions) is_expected.not_to include(*master_permissions)
is_expected.not_to include(*owner_permissions) is_expected.not_to include(*owner_permissions)
end end
...@@ -147,6 +170,7 @@ describe GroupPolicy, models: true do ...@@ -147,6 +170,7 @@ describe GroupPolicy, models: true do
it do it do
is_expected.to include(:read_group) is_expected.to include(:read_group)
is_expected.to include(*reporter_permissions)
is_expected.not_to include(*master_permissions) is_expected.not_to include(*master_permissions)
is_expected.not_to include(*owner_permissions) is_expected.not_to include(*owner_permissions)
end end
...@@ -157,6 +181,7 @@ describe GroupPolicy, models: true do ...@@ -157,6 +181,7 @@ describe GroupPolicy, models: true do
it do it do
is_expected.to include(:read_group) is_expected.to include(:read_group)
is_expected.to include(*reporter_permissions)
is_expected.to include(*master_permissions) is_expected.to include(*master_permissions)
is_expected.not_to include(*owner_permissions) is_expected.not_to include(*owner_permissions)
end end
...@@ -167,6 +192,7 @@ describe GroupPolicy, models: true do ...@@ -167,6 +192,7 @@ describe GroupPolicy, models: true do
it do it do
is_expected.to include(:read_group) is_expected.to include(:read_group)
is_expected.to include(*reporter_permissions)
is_expected.to include(*master_permissions) is_expected.to include(*master_permissions)
is_expected.to include(*owner_permissions) is_expected.to include(*owner_permissions)
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment