Don't treat anonymous users as owners when group has pending invites

The `members` table can have entries where `user_id: nil`, because people can invite group members by email. We never want to include those as members, because it might cause confusion with the anonymous (logged out) user.

Don't treat anonymous users as owners when group has pending invites
The `members` table can have entries where `user_id: nil`, because people can invite group members by email. We never want to include those as members, because it might cause confusion with the anonymous (logged out) user.
ccac2abe · Sean McGivern · f81ed493 · ccac2abe · ccac2abe · ccac2abe
Commit ccac2abe authored Jul 24, 2017 by Sean McGivern
6 changed files
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -167,10 +167,14 @@ class Group < Namespace
  end

  def has_owner?(user)
+    return false unless user
+
    members_with_parents.owners.where(user_id: user).any?
  end

  def has_master?(user)
+    return false unless user
+
    members_with_parents.masters.where(user_id: user).any?
  end

@@ -212,7 +216,7 @@ class Group < Namespace
  end

  def members_with_parents
-    GroupMember.non_request.where(source_id: ancestors.pluck(:id).push(id))
+    GroupMember.active.where(source_id: ancestors.pluck(:id).push(id)).where.not(user_id: nil)
  end

  def users_with_parents

--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -10,7 +10,8 @@ class ProjectPolicy < BasePolicy

  desc "User is a project owner"
  condition :owner do
-    @user && project.owner == @user || (project.group && project.group.has_owner?(@user))
+    (project.owner.present? && project.owner == @user) ||
+      project.group&.has_owner?(@user)
  end

  desc "Project has public builds enabled"

--- a/changelogs/unreleased/35444-error-500-viewing-notes-with-anonymous-user.yml
+++ b/changelogs/unreleased/35444-error-500-viewing-notes-with-anonymous-user.yml
+---
+title: Fix anonymous access to public projects in groups with pending invites
+merge_request:
+author:
--- a/spec/models/ability_spec.rb
+++ b/spec/models/ability_spec.rb
@@ -98,7 +98,7 @@ describe Ability, lib: true do
        user2 = build(:user, external: true)
        users = [user1, user2]

-        expect(project).to receive(:owner).twice.and_return(user1)
+        expect(project).to receive(:owner).at_least(:once).and_return(user1)

        expect(described_class.users_that_can_read_project(users, project))
          .to eq([user1])
@@ -109,7 +109,7 @@ describe Ability, lib: true do
        user2 = build(:user, external: true)
        users = [user1, user2]

-        expect(project.team).to receive(:members).twice.and_return([user1])
+        expect(project.team).to receive(:members).at_least(:once).and_return([user1])

        expect(described_class.users_that_can_read_project(users, project))
          .to eq([user1])
@@ -140,7 +140,7 @@ describe Ability, lib: true do
        user2 = build(:user, external: true)
        users = [user1, user2]

-        expect(project).to receive(:owner).twice.and_return(user1)
+        expect(project).to receive(:owner).at_least(:once).and_return(user1)

        expect(described_class.users_that_can_read_project(users, project))
          .to eq([user1])
@@ -151,7 +151,7 @@ describe Ability, lib: true do
        user2 = build(:user, external: true)
        users = [user1, user2]

-        expect(project.team).to receive(:members).twice.and_return([user1])
+        expect(project.team).to receive(:members).at_least(:once).and_return([user1])

        expect(described_class.users_that_can_read_project(users, project))
          .to eq([user1])

--- a/spec/models/group_spec.rb
+++ b/spec/models/group_spec.rb
@@ -236,6 +236,7 @@ describe Group, models: true do
  describe '#has_owner?' do
    before do
      @members = setup_group_members(group)
+      create(:group_member, :invited, :owner, group: group)
    end

    it { expect(group.has_owner?(@members[:owner])).to be_truthy }
@@ -244,11 +245,13 @@ describe Group, models: true do
    it { expect(group.has_owner?(@members[:reporter])).to be_falsey }
    it { expect(group.has_owner?(@members[:guest])).to be_falsey }
    it { expect(group.has_owner?(@members[:requester])).to be_falsey }
+    it { expect(group.has_owner?(nil)).to be_falsey }
  end

  describe '#has_master?' do
    before do
      @members = setup_group_members(group)
+      create(:group_member, :invited, :master, group: group)
    end

    it { expect(group.has_master?(@members[:owner])).to be_falsey }
@@ -257,6 +260,7 @@ describe Group, models: true do
    it { expect(group.has_master?(@members[:reporter])).to be_falsey }
    it { expect(group.has_master?(@members[:guest])).to be_falsey }
    it { expect(group.has_master?(@members[:requester])).to be_falsey }
+    it { expect(group.has_master?(nil)).to be_falsey }
  end

  describe '#lfs_enabled?' do

--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -127,6 +127,24 @@ describe ProjectPolicy, models: true do
    end
  end

+  context 'when a project has pending invites, and the current user is anonymous' do
+    let(:group) { create(:group, :public) }
+    let(:project) { create(:empty_project, :public, namespace: group) }
+    let(:user_permissions) { [:create_project, :create_issue, :create_note, :upload_file] }
+    let(:anonymous_permissions) { guest_permissions - user_permissions }
+
+    subject { described_class.new(nil, project) }
+
+    before do
+      create(:group_member, :invited, group: group)
+    end
+
+    it 'does not grant owner access' do
+      expect_allowed(*anonymous_permissions)
+      expect_disallowed(*user_permissions)
+    end
+  end
+
  context 'abilities for non-public projects' do
    let(:project) { create(:empty_project, namespace: owner.namespace) }