Commit 6df69a5d authored by Jason Goodman's avatar Jason Goodman Committed by Etienne Baqué

Prevent API deletion of group with a paid gitlab.com subscription

Prevent for both delayed and immediate deletes
parent 8d8c1e2e
...@@ -975,6 +975,9 @@ Parameters: ...@@ -975,6 +975,9 @@ Parameters:
The response is `202 Accepted` if the user has authorization. The response is `202 Accepted` if the user has authorization.
NOTE:
A GitLab.com group can't be removed if it is linked to a subscription. To remove such a group, first [link the subscription](../subscriptions/index.md#change-the-linked-namespace) with a different group.
## Restore group marked for deletion **(PREMIUM)** ## Restore group marked for deletion **(PREMIUM)**
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/33257) in GitLab 12.8. > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/33257) in GitLab 12.8.
......
---
title: Prevent deletion of groups with a subscription via the API
merge_request: 57533
author:
type: fixed
...@@ -892,6 +892,28 @@ RSpec.describe API::Groups do ...@@ -892,6 +892,28 @@ RSpec.describe API::Groups do
expect(json_response['message']).to eq('error') expect(json_response['message']).to eq('error')
end end
end end
it 'does not mark the group for deletion when the group has a paid gitlab.com subscription' do
create(:gitlab_subscription, :ultimate, namespace: group)
subject
expect(response).to have_gitlab_http_status(:bad_request)
expect(json_response['message']).to eq("This group can't be removed because it is linked to a subscription.")
expect(group.marked_for_deletion_on).to be_nil
expect(group.deleting_user).to be_nil
end
it 'marks for deletion a subgroup of a group with a paid gitlab.com subscription' do
create(:gitlab_subscription, :ultimate, namespace: group)
subgroup = create(:group, parent: group)
delete api("/groups/#{subgroup.id}", user)
expect(response).to have_gitlab_http_status(:accepted)
expect(subgroup.marked_for_deletion_on).to eq(Date.today)
expect(subgroup.deleting_user).to eq(user)
end
end end
context 'period of delayed deletion is set to 0' do context 'period of delayed deletion is set to 0' do
...@@ -909,6 +931,22 @@ RSpec.describe API::Groups do ...@@ -909,6 +931,22 @@ RSpec.describe API::Groups do
end end
it_behaves_like 'immediately enqueues the job to delete the group' it_behaves_like 'immediately enqueues the job to delete the group'
it 'does not delete the group when the group has a paid gitlab.com subscription' do
create(:gitlab_subscription, :ultimate, namespace: group)
expect { subject }.not_to change(GroupDestroyWorker.jobs, :size)
expect(response).to have_gitlab_http_status(:bad_request)
expect(json_response['message']).to eq("This group can't be removed because it is linked to a subscription.")
end
it 'deletes a subgroup of a group with a paid gitlab.com subscription' do
create(:gitlab_subscription, :ultimate, namespace: group)
subgroup = create(:group, parent: group)
expect { delete api("/groups/#{subgroup.id}", user) }.to change(GroupDestroyWorker.jobs, :size).by(1)
expect(response).to have_gitlab_http_status(:accepted)
end
end end
end end
......
...@@ -141,6 +141,10 @@ module API ...@@ -141,6 +141,10 @@ module API
def authorize_group_creation! def authorize_group_creation!
authorize! :create_group authorize! :create_group
end end
def check_subscription!(group)
render_api_error!("This group can't be removed because it is linked to a subscription.", :bad_request) if group.paid?
end
end end
resource :groups do resource :groups do
...@@ -239,6 +243,7 @@ module API ...@@ -239,6 +243,7 @@ module API
delete ":id" do delete ":id" do
group = find_group!(params[:id]) group = find_group!(params[:id])
authorize! :admin_group, group authorize! :admin_group, group
check_subscription! group
delete_group(group) delete_group(group)
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment