Commit 8dffe619 authored by Patrick Bajao's avatar Patrick Bajao

Remove protected tag access when group is removed

When a group is removed from the project, it should no longer
be included in any protected tags.
parent a1b0c955
...@@ -15,6 +15,9 @@ module EE ...@@ -15,6 +15,9 @@ module EE
project.protected_branches.merge_access_by_group(group).destroy_all # rubocop: disable DestroyAll project.protected_branches.merge_access_by_group(group).destroy_all # rubocop: disable DestroyAll
project.protected_branches.push_access_by_group(group).destroy_all # rubocop: disable DestroyAll project.protected_branches.push_access_by_group(group).destroy_all # rubocop: disable DestroyAll
# For protected tags
project.protected_tags.create_access_by_group(group).delete_all
# For protected environments # For protected environments
project.protected_environments.deploy_access_levels_by_group(group).delete_all project.protected_environments.deploy_access_levels_by_group(group).delete_all
end end
......
---
title: Remove protected tag access when group is removed
merge_request:
author:
type: security
...@@ -13,16 +13,46 @@ describe ProjectGroupLink do ...@@ -13,16 +13,46 @@ describe ProjectGroupLink do
project.add_developer(user) project.add_developer(user)
end end
it 'removes related protected environment deploy access levels' do shared_examples_for 'deleted related access levels' do |access_level_class|
params = attributes_for(:protected_environment, it "removes related #{access_level_class}" do
deploy_access_levels_attributes: [{ group_id: group.id }, { user_id: user.id }]) expect { project_group_link.destroy! }.to change(access_level_class, :count).by(-1)
expect(access_levels.find_by_group_id(group)).to be_nil
expect(access_levels.find_by_user_id(user)).to be_persisted
end
end
context 'protected tags' do
let!(:protected_tag) do
ProtectedTags::CreateService.new(
project,
project.owner,
attributes_for(
:protected_tag,
create_access_levels_attributes: [{ group_id: group.id }, { user_id: user.id }]
)
).execute
end
let(:access_levels) { protected_tag.create_access_levels }
it_behaves_like 'deleted related access levels', ProtectedTag::CreateAccessLevel
end
protected_environment = ProtectedEnvironments::CreateService.new(project, user, params).execute context 'protected environments' do
let!(:protected_environment) do
ProtectedEnvironments::CreateService.new(
project,
project.owner,
attributes_for(
:protected_environment,
deploy_access_levels_attributes: [{ group_id: group.id }, { user_id: user.id }]
)
).execute
end
expect { project_group_link.destroy! }.to change(ProtectedEnvironment::DeployAccessLevel, :count).by(-1) let(:access_levels) { protected_environment.deploy_access_levels }
expect(protected_environment.deploy_access_levels.find_by_group_id(group)).to be_nil it_behaves_like 'deleted related access levels', ProtectedEnvironment::DeployAccessLevel
expect(protected_environment.deploy_access_levels.find_by_user_id(user)).to be_persisted
end end
end end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment