Include group parents into read access for project and group

Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
author: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2016-12-13 20:59:39 +0200
committer: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2016-12-26 10:57:11 +0200
commit: 7b4b3d5f268534c028f55ef1014a84fe6a916cb0 (patch)
tree: 87408a9ae15c6263fbcfad84e97e2dc26446200b /app
parent: 645412b57f558d58418aad278c9a3bf421439e1c (diff)
download: gitlab-ce-7b4b3d5f268534c028f55ef1014a84fe6a916cb0.tar.gz
3 files changed, 16 insertions, 6 deletions
diff --git a/app/models/group.rb b/app/models/group.rb
index ac8a82c8c1e..50c949d84aa 100644
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -155,15 +155,17 @@ class Group < Namespace
   end
 
   def has_owner?(user)
-    owners.include?(user)
+    members_with_parents.owners.where(user_id: user).any?
   end
 
   def has_master?(user)
-    members.masters.where(user_id: user).any?
+    members_with_parents.masters.where(user_id: user).any?
   end
 
+  # Check if user is a last owner of the group.
+  # Parent owners are ignored for nested groups.
   def last_owner?(user)
-    has_owner?(user) && owners.size == 1
+    owners.include?(user) && owners.size == 1
   end
 
   def avatar_type
@@ -189,6 +191,14 @@ class Group < Namespace
   end
 
   def refresh_members_authorized_projects
-    UserProjectAccessChangedService.new(users.pluck(:id)).execute
+    UserProjectAccessChangedService.new(users_with_parents.pluck(:id)).execute
+  end
+
+  def members_with_parents
+    GroupMember.where(requested_at: nil, source_id: parents.map(&:id).push(id))
+  end
+
+  def users_with_parents
+    User.where(id: members_with_parents.pluck(:user_id))
   end
 end
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 6f943feb2a7..0be6e113655 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -4,7 +4,7 @@ class GroupPolicy < BasePolicy
     return unless @user
 
     globally_viewable = @subject.public? || (@subject.internal? && !@user.external?)
-    member = @subject.users.include?(@user)
+    member = @subject.users_with_parents.include?(@user)
     owner = @user.admin? || @subject.has_owner?(@user)
     master = owner || @subject.has_master?(@user)
 
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index b5db9c12622..eaf3035dfe1 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -245,7 +245,7 @@ class ProjectPolicy < BasePolicy
   def project_group_member?(user)
     project.group &&
       (
-        project.group.members.exists?(user_id: user.id) ||
+        project.group.members_with_parents.exists?(user_id: user.id) ||
         project.group.requesters.exists?(user_id: user.id)
       )
   end
author	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2016-12-13 20:59:39 +0200
committer	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2016-12-26 10:57:11 +0200
commit	7b4b3d5f268534c028f55ef1014a84fe6a916cb0 (patch)
tree	87408a9ae15c6263fbcfad84e97e2dc26446200b /app
parent	645412b57f558d58418aad278c9a3bf421439e1c (diff)
download	gitlab-ce-7b4b3d5f268534c028f55ef1014a84fe6a916cb0.tar.gz