Merge branch '327814-allow-project-owner-as-member' into 'master'

Allow ProjectMembers who are owners to have permissions See merge request gitlab-org/gitlab!59844

Merge branch '327814-allow-project-owner-as-member' into 'master'
Allow ProjectMembers who are owners to have permissions See merge request gitlab-org/gitlab!59844
61dd1268 · Sean McGivern · e3a9e040 · 7bcc2ff0 · 61dd1268 · 61dd1268
Commit 61dd1268 authored Apr 22, 2021 by Sean McGivern
4 changed files
--- a/app/policies/project_member_policy.rb
+++ b/app/policies/project_member_policy.rb
@@ -8,7 +8,11 @@ class ProjectMemberPolicy < BasePolicy
  condition(:project_bot) { @subject.user&.project_bot? }
  rule { anonymous }.prevent_all
-  rule { target_is_owner }.prevent_all
+  rule { target_is_owner }.policy do
+    prevent :update_project_member
+    prevent :destroy_project_member
+  end
  rule { ~project_bot & can?(:admin_project_member) }.policy do
    enable :update_project_member

--- a/changelogs/unreleased/327814-allow-project-owner-as-member.yml
+++ b/changelogs/unreleased/327814-allow-project-owner-as-member.yml
+---
+title: Fix restrictive permissions for ProjectMembers who are owners
+merge_request: 59844
+author:
+type: fixed
--- a/spec/policies/project_member_policy_spec.rb
+++ b/spec/policies/project_member_policy_spec.rb
@@ -16,12 +16,22 @@ RSpec.describe ProjectMemberPolicy do
  context 'with regular member' do
    let(:member_user) { create(:user) }
+    it { is_expected.to be_allowed(:read_project) }
    it { is_expected.to be_allowed(:update_project_member) }
    it { is_expected.to be_allowed(:destroy_project_member) }
    it { is_expected.not_to be_allowed(:destroy_project_bot_member) }
  end
+  context 'when user is project owner' do
+    let(:member_user) { project.owner }
+    let(:member) { project.members.find_by!(user: member_user) }
+    it { is_expected.to be_allowed(:read_project) }
+    it { is_expected.to be_disallowed(:update_project_member) }
+    it { is_expected.to be_disallowed(:destroy_project_member) }
+  end
  context 'with a bot member' do
    let(:member_user) { create(:user, :project_bot) }

--- a/spec/requests/api/graphql/project/project_members_spec.rb
+++ b/spec/requests/api/graphql/project/project_members_spec.rb
@@ -78,6 +78,22 @@ RSpec.describe 'getting project members information' do
        .to include('path' => %w[query project projectMembers relations],
                    'message' => a_string_including('invalid value ([OBLIQUE])'))
    end
+    context 'when project is owned by a member' do
+      let_it_be(:project) { create(:project, namespace: user.namespace) }
+      before_all do
+        project.add_guest(child_user)
+        project.add_guest(invited_user)
+      end
+      it 'returns the owner in the response' do
+        fetch_members(project: project)
+        expect(graphql_errors).to be_nil
+        expect_array_response(user, child_user, invited_user)
+      end
+    end
  end
  context 'when unauthenticated' do