Add admin ldap setting policy rule

82d535cc · Sebastian Arcila Valenzuela · 46fb3939 · 82d535cc · 82d535cc
Commit 82d535cc authored Mar 04, 2020 by Sebastian Arcila Valenzuela
Show whitespace changes
Inline Side-by-side

Showing with 14 additions and 2 deletions

ee/app/policies/ee/group_policy.rb ee/app/policies/ee/group_policy.rb +4 -2

ee/spec/policies/group_policy_spec.rb ee/spec/policies/group_policy_spec.rb +10 -0

No files found.
--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -134,8 +134,10 @@ module EE

      rule { admin | owner }.enable :admin_group_saml

-      rule { admin | (can_owners_manage_ldap & owner) }.enable :admin_ldap_group_links
-
+      rule { admin | (can_owners_manage_ldap & owner) }.policy do
+        enable :admin_ldap_group_links
+        enable :admin_ldap_group_settings
+      end

      rule { ldap_synced & ~owners_bypass_ldap_lock }.prevent :admin_group_member


--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -273,6 +273,7 @@ describe GroupPolicy do

      it { is_expected.to be_disallowed(:override_group_member) }
      it { is_expected.to be_allowed(:admin_ldap_group_links) }
+      it { is_expected.to be_allowed(:admin_ldap_group_settings) }

      context 'does not allow group owners to manage ldap' do
        before do
@@ -280,6 +281,7 @@ describe GroupPolicy do
        end

        it { is_expected.to be_disallowed(:admin_ldap_group_links) }
+        it { is_expected.to be_disallowed(:admin_ldap_group_settings) }
      end
    end

@@ -288,6 +290,7 @@ describe GroupPolicy do

      it { is_expected.to be_disallowed(:override_group_member) }
      it { is_expected.to be_allowed(:admin_ldap_group_links) }
+      it { is_expected.to be_allowed(:admin_ldap_group_settings) }
    end
  end

@@ -301,6 +304,7 @@ describe GroupPolicy do

      it { is_expected.to be_disallowed(:override_group_member) }
      it { is_expected.to be_disallowed(:admin_ldap_group_links) }
+      it { is_expected.to be_disallowed(:admin_ldap_group_settings) }
    end

    context 'guests' do
@@ -308,6 +312,7 @@ describe GroupPolicy do

      it { is_expected.to be_disallowed(:override_group_member) }
      it { is_expected.to be_disallowed(:admin_ldap_group_links) }
+      it { is_expected.to be_disallowed(:admin_ldap_group_settings) }
    end

    context 'reporter' do
@@ -315,6 +320,7 @@ describe GroupPolicy do

      it { is_expected.to be_disallowed(:override_group_member) }
      it { is_expected.to be_disallowed(:admin_ldap_group_links) }
+      it { is_expected.to be_disallowed(:admin_ldap_group_settings) }
    end

    context 'developer' do
@@ -322,6 +328,7 @@ describe GroupPolicy do

      it { is_expected.to be_disallowed(:override_group_member) }
      it { is_expected.to be_disallowed(:admin_ldap_group_links) }
+      it { is_expected.to be_disallowed(:admin_ldap_group_settings) }
    end

    context 'maintainer' do
@@ -329,6 +336,7 @@ describe GroupPolicy do

      it { is_expected.to be_disallowed(:override_group_member) }
      it { is_expected.to be_disallowed(:admin_ldap_group_links) }
+      it { is_expected.to be_disallowed(:admin_ldap_group_settings) }
    end

    context 'owner' do
@@ -345,6 +353,7 @@ describe GroupPolicy do

        it { is_expected.to be_disallowed(:override_group_member) }
        it { is_expected.to be_disallowed(:admin_ldap_group_links) }
+        it { is_expected.to be_disallowed(:admin_ldap_group_settings) }
      end
    end

@@ -353,6 +362,7 @@ describe GroupPolicy do

      it { is_expected.to be_allowed(:override_group_member) }
      it { is_expected.to be_allowed(:admin_ldap_group_links) }
+      it { is_expected.to be_allowed(:admin_ldap_group_settings) }
    end

    context 'when memberships locked to LDAP' do