Fix access to projects shared with a nested group

Signed-off-by: N Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>

Fix access to projects shared with a nested group
Signed-off-by: N Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
05f331f3 · Douwe Maan · Dmitriy Zaporozhets · 71fbbc9d · 05f331f3 · 05f331f3
4 changed file
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -474,7 +474,7 @@ class User < ActiveRecord::Base
    Group.member_descendants(id)
  end

-  def nested_projects
+  def nested_groups_projects
    Project.joins(:namespace).where('namespaces.parent_id IS NOT NULL').
      member_descendants(id)
  end

--- a/app/services/users/refresh_authorized_projects_service.rb
+++ b/app/services/users/refresh_authorized_projects_service.rb
@@ -115,11 +115,23 @@ module Users
    # Returns a union query of projects that the user is authorized to access
    def project_authorizations_union
      relations = [
+        # Personal projects
        user.personal_projects.select("#{user.id} AS user_id, projects.id AS project_id, #{Gitlab::Access::MASTER} AS access_level"),
-        user.groups_projects.select_for_project_authorization,
+
+        # Projects the user is a member of
        user.projects.select_for_project_authorization,
+
+        # Projects of groups the user is a member of
+        user.groups_projects.select_for_project_authorization,
+
+        # Projects of subgroups of groups the user is a member of
+        user.nested_groups_projects.select_for_project_authorization,
+
+        # Projects shared with groups the user is a member of
        user.groups.joins(:shared_projects).select_for_project_authorization,
-        user.nested_projects.select_for_project_authorization
+
+        # Projects shared with subgroups of groups the user is a member of
+        user.nested_groups.joins(:shared_projects).select_for_project_authorization
      ]

      Gitlab::SQL::Union.new(relations)

--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -1429,7 +1429,7 @@ describe User, models: true do
    it { expect(user.nested_groups).to eq([nested_group]) }
  end

-  describe '#nested_projects' do
+  describe '#nested_groups_projects' do
    let!(:user) { create(:user) }
    let!(:group) { create(:group) }
    let!(:nested_group) { create(:group, parent: group) }
@@ -1444,7 +1444,7 @@ describe User, models: true do
      other_project.add_developer(create(:user))
    end

-    it { expect(user.nested_projects).to eq([nested_project]) }
+    it { expect(user.nested_groups_projects).to eq([nested_project]) }
  end

  describe '#refresh_authorized_projects', redis: true do

--- a/spec/services/users/refresh_authorized_projects_service_spec.rb
+++ b/spec/services/users/refresh_authorized_projects_service_spec.rb
@@ -131,6 +131,80 @@ describe Users::RefreshAuthorizedProjectsService do
    it 'sets the values to the access levels' do
      expect(hash.values).to eq([Gitlab::Access::MASTER])
    end
+
+    context 'personal projects' do
+      it 'includes the project with the right access level' do
+        expect(hash[project.id]).to eq(Gitlab::Access::MASTER)
+      end
+    end
+
+    context 'projects the user is a member of' do
+      let!(:other_project) { create(:empty_project) }
+
+      before do
+        other_project.team.add_reporter(user)
+      end
+
+      it 'includes the project with the right access level' do
+        expect(hash[other_project.id]).to eq(Gitlab::Access::REPORTER)
+      end
+    end
+
+    context 'projects of groups the user is a member of' do
+      let(:group) { create(:group) }
+      let!(:other_project) { create(:project, group: group) }
+
+      before do
+        group.add_owner(user)
+      end
+
+      it 'includes the project with the right access level' do
+        expect(hash[other_project.id]).to eq(Gitlab::Access::OWNER)
+      end
+    end
+
+    context 'projects of subgroups of groups the user is a member of' do
+      let(:group) { create(:group) }
+      let(:nested_group) { create(:group, parent: group) }
+      let!(:other_project) { create(:project, group: nested_group) }
+
+      before do
+        group.add_master(user)
+      end
+
+      it 'includes the project with the right access level' do
+        expect(hash[other_project.id]).to eq(Gitlab::Access::MASTER)
+      end
+    end
+
+    context 'projects shared with groups the user is a member of' do
+      let(:group) { create(:group) }
+      let(:other_project) { create(:empty_project) }
+      let!(:project_group_link) { create(:project_group_link, project: other_project, group: group, group_access: Gitlab::Access::GUEST) }
+
+      before do
+        group.add_master(user)
+      end
+
+      it 'includes the project with the right access level' do
+        expect(hash[other_project.id]).to eq(Gitlab::Access::GUEST)
+      end
+    end
+
+    context 'projects shared with subgroups of groups the user is a member of' do
+      let(:group) { create(:group) }
+      let(:nested_group) { create(:group, parent: group) }
+      let(:other_project) { create(:empty_project) }
+      let!(:project_group_link) { create(:project_group_link, project: other_project, group: nested_group, group_access: Gitlab::Access::DEVELOPER) }
+
+      before do
+        group.add_master(user)
+      end
+
+      it 'includes the project with the right access level' do
+        expect(hash[other_project.id]).to eq(Gitlab::Access::DEVELOPER)
+      end
+    end
  end

  describe '#current_authorizations_per_project' do