Merge branch 'dz-nested-group-access' into 'master'

Inherit permissions from parent group See merge request !8071
author: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2016-12-29 00:00:10 +0000
committer: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2016-12-29 00:00:10 +0000
commit: c595b41881896e0987d66d9be8b307cfed97fd7d (patch)
tree: e74461388cf51806f050316a5045f5270b55104c /app
parent: 7d0e63faffcbb818e686cb3d2dd1aefdbb957d4a (diff)
parent: 9f39953eaf5568eb75bd2ecf1bab230bbf13f330 (diff)
download: gitlab-ce-c595b41881896e0987d66d9be8b307cfed97fd7d.tar.gz
3 files changed, 16 insertions, 6 deletions
diff --git a/app/models/group.rb b/app/models/group.rb
index 85696ad9747..9888b242e98 100644
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -161,15 +161,17 @@ class Group < Namespace
   end
 
   def has_owner?(user)
-    owners.include?(user)
+    members_with_parents.owners.where(user_id: user).any?
   end
 
   def has_master?(user)
-    members.masters.where(user_id: user).any?
+    members_with_parents.masters.where(user_id: user).any?
   end
 
+  # Check if user is a last owner of the group.
+  # Parent owners are ignored for nested groups.
   def last_owner?(user)
-    has_owner?(user) && owners.size == 1
+    owners.include?(user) && owners.size == 1
   end
 
   def avatar_type
@@ -195,6 +197,14 @@ class Group < Namespace
   end
 
   def refresh_members_authorized_projects
-    UserProjectAccessChangedService.new(users.pluck(:id)).execute
+    UserProjectAccessChangedService.new(users_with_parents.pluck(:id)).execute
+  end
+
+  def members_with_parents
+    GroupMember.where(requested_at: nil, source_id: parents.map(&:id).push(id))
+  end
+
+  def users_with_parents
+    User.where(id: members_with_parents.select(:user_id))
   end
 end
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 6f943feb2a7..0be6e113655 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -4,7 +4,7 @@ class GroupPolicy < BasePolicy
     return unless @user
 
     globally_viewable = @subject.public? || (@subject.internal? && !@user.external?)
-    member = @subject.users.include?(@user)
+    member = @subject.users_with_parents.include?(@user)
     owner = @user.admin? || @subject.has_owner?(@user)
     master = owner || @subject.has_master?(@user)
 
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index b5db9c12622..eaf3035dfe1 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -245,7 +245,7 @@ class ProjectPolicy < BasePolicy
   def project_group_member?(user)
     project.group &&
       (
-        project.group.members.exists?(user_id: user.id) ||
+        project.group.members_with_parents.exists?(user_id: user.id) ||
         project.group.requesters.exists?(user_id: user.id)
       )
   end
author	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2016-12-29 00:00:10 +0000
committer	Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>	2016-12-29 00:00:10 +0000
commit	c595b41881896e0987d66d9be8b307cfed97fd7d (patch)
tree	e74461388cf51806f050316a5045f5270b55104c /app
parent	7d0e63faffcbb818e686cb3d2dd1aefdbb957d4a (diff)
parent	9f39953eaf5568eb75bd2ecf1bab230bbf13f330 (diff)
download	gitlab-ce-c595b41881896e0987d66d9be8b307cfed97fd7d.tar.gz