Commit 61dd1268 authored by Sean McGivern's avatar Sean McGivern

Merge branch '327814-allow-project-owner-as-member' into 'master'

Allow ProjectMembers who are owners to have permissions

See merge request gitlab-org/gitlab!59844
parents e3a9e040 7bcc2ff0
......@@ -8,7 +8,11 @@ class ProjectMemberPolicy < BasePolicy
condition(:project_bot) { @subject.user&.project_bot? }
rule { anonymous }.prevent_all
rule { target_is_owner }.prevent_all
rule { target_is_owner }.policy do
prevent :update_project_member
prevent :destroy_project_member
end
rule { ~project_bot & can?(:admin_project_member) }.policy do
enable :update_project_member
......
---
title: Fix restrictive permissions for ProjectMembers who are owners
merge_request: 59844
author:
type: fixed
......@@ -16,12 +16,22 @@ RSpec.describe ProjectMemberPolicy do
context 'with regular member' do
let(:member_user) { create(:user) }
it { is_expected.to be_allowed(:read_project) }
it { is_expected.to be_allowed(:update_project_member) }
it { is_expected.to be_allowed(:destroy_project_member) }
it { is_expected.not_to be_allowed(:destroy_project_bot_member) }
end
context 'when user is project owner' do
let(:member_user) { project.owner }
let(:member) { project.members.find_by!(user: member_user) }
it { is_expected.to be_allowed(:read_project) }
it { is_expected.to be_disallowed(:update_project_member) }
it { is_expected.to be_disallowed(:destroy_project_member) }
end
context 'with a bot member' do
let(:member_user) { create(:user, :project_bot) }
......
......@@ -78,6 +78,22 @@ RSpec.describe 'getting project members information' do
.to include('path' => %w[query project projectMembers relations],
'message' => a_string_including('invalid value ([OBLIQUE])'))
end
context 'when project is owned by a member' do
let_it_be(:project) { create(:project, namespace: user.namespace) }
before_all do
project.add_guest(child_user)
project.add_guest(invited_user)
end
it 'returns the owner in the response' do
fetch_members(project: project)
expect(graphql_errors).to be_nil
expect_array_response(user, child_user, invited_user)
end
end
end
context 'when unauthenticated' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment