BigW Consortium Gitlab
Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
gitlab-ce
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Forest Godfrey
gitlab-ce
Commits
ba0d4877
Commit
ba0d4877
authored
Nov 23, 2016
by
Sean McGivern
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'fix/drop-project-authorized-for-user' into 'master'
Use authorized projects in ProjectTeam Closes #23938 and #23636 See merge request !7586
parents
6f7ce372
2ea5ef0b
Show whitespace changes
Inline
Side-by-side
Showing
14 changed files
with
108 additions
and
172 deletions
+108
-172
group.rb
app/models/group.rb
+3
-1
issue.rb
app/models/issue.rb
+1
-1
member.rb
app/models/member.rb
+1
-1
namespace.rb
app/models/namespace.rb
+8
-0
project.rb
app/models/project.rb
+2
-8
project_team.rb
app/models/project_team.rb
+19
-98
user.rb
app/models/user.rb
+1
-1
fix-drop-project-authorized-for-user.yml
...elogs/unreleased/fix-drop-project-authorized-for-user.yml
+4
-0
06_teams.rb
db/fixtures/development/06_teams.rb
+6
-1
members_helper_spec.rb
spec/helpers/members_helper_spec.rb
+2
-2
all_models.yml
spec/lib/gitlab/import_export/all_models.yml
+2
-0
issue_spec.rb
spec/models/issue_spec.rb
+1
-1
project_spec.rb
spec/models/project_spec.rb
+0
-51
project_team_spec.rb
spec/models/project_team_spec.rb
+58
-7
No files found.
app/models/group.rb
View file @
ba0d4877
...
...
@@ -65,7 +65,9 @@ class Group < Namespace
def
select_for_project_authorization
if
current_scope
.
joins_values
.
include?
(
:shared_projects
)
select
(
"members.user_id, projects.id AS project_id, project_group_links.group_access"
)
joins
(
'INNER JOIN namespaces project_namespace ON project_namespace.id = projects.namespace_id'
)
.
where
(
'project_namespace.share_with_group_lock = ?'
,
false
)
.
select
(
"members.user_id, projects.id AS project_id, LEAST(project_group_links.group_access, members.access_level) AS access_level"
)
else
super
end
...
...
app/models/issue.rb
View file @
ba0d4877
...
...
@@ -93,7 +93,7 @@ class Issue < ActiveRecord::Base
# Check if we are scoped to a specific project's issues
if
owner_project
if
owner_project
.
authorized_for_us
er?
(
user
,
Gitlab
::
Access
::
REPORTER
)
if
owner_project
.
team
.
memb
er?
(
user
,
Gitlab
::
Access
::
REPORTER
)
# If the project is authorized for the user, they can see all issues in the project
return
all
else
...
...
app/models/member.rb
View file @
ba0d4877
...
...
@@ -246,7 +246,7 @@ class Member < ActiveRecord::Base
end
def
post_update_hook
# override in subclass
UserProjectAccessChangedService
.
new
(
user
.
id
).
execute
if
access_level_changed?
end
def
post_destroy_hook
...
...
app/models/namespace.rb
View file @
ba0d4877
...
...
@@ -27,6 +27,7 @@ class Namespace < ActiveRecord::Base
delegate
:name
,
to: :owner
,
allow_nil:
true
,
prefix:
true
after_update
:move_dir
,
if: :path_changed?
after_commit
:refresh_access_of_projects_invited_groups
,
on: :update
,
if:
->
{
previous_changes
.
key?
(
'share_with_group_lock'
)
}
# Save the storage paths before the projects are destroyed to use them on after destroy
before_destroy
(
prepend:
true
)
{
@old_repository_storage_paths
=
repository_storage_paths
}
...
...
@@ -175,4 +176,11 @@ class Namespace < ActiveRecord::Base
end
end
end
def
refresh_access_of_projects_invited_groups
Group
.
joins
(
project_group_links: :project
).
where
(
projects:
{
namespace_id:
id
}).
find_each
(
&
:refresh_members_authorized_projects
)
end
end
app/models/project.rb
View file @
ba0d4877
...
...
@@ -126,6 +126,8 @@ class Project < ActiveRecord::Base
has_many
:hooks
,
dependent: :destroy
,
class_name:
'ProjectHook'
has_many
:protected_branches
,
dependent: :destroy
has_many
:project_authorizations
,
dependent: :destroy
has_many
:authorized_users
,
through: :project_authorizations
,
source: :user
,
class_name:
'User'
has_many
:project_members
,
->
{
where
(
requested_at:
nil
)
},
dependent: :destroy
,
as: :source
alias_method
:members
,
:project_members
has_many
:users
,
through: :project_members
...
...
@@ -1293,14 +1295,6 @@ class Project < ActiveRecord::Base
end
end
# Checks if `user` is authorized for this project, with at least the
# `min_access_level` (if given).
def
authorized_for_user?
(
user
,
min_access_level
=
nil
)
return
false
unless
user
user
.
authorized_project?
(
self
,
min_access_level
)
end
def
append_or_update_attribute
(
name
,
value
)
old_values
=
public_send
(
name
.
to_s
)
...
...
app/models/project_team.rb
View file @
ba0d4877
...
...
@@ -80,19 +80,19 @@ class ProjectTeam
alias_method
:users
,
:members
def
guests
@guests
||=
fetch_members
(
:guests
)
@guests
||=
fetch_members
(
Gitlab
::
Access
::
GUEST
)
end
def
reporters
@reporters
||=
fetch_members
(
:reporters
)
@reporters
||=
fetch_members
(
Gitlab
::
Access
::
REPORTER
)
end
def
developers
@developers
||=
fetch_members
(
:developers
)
@developers
||=
fetch_members
(
Gitlab
::
Access
::
DEVELOPER
)
end
def
masters
@masters
||=
fetch_members
(
:masters
)
@masters
||=
fetch_members
(
Gitlab
::
Access
::
MASTER
)
end
def
import
(
source_project
,
current_user
=
nil
)
...
...
@@ -141,8 +141,12 @@ class ProjectTeam
max_member_access
(
user
.
id
)
==
Gitlab
::
Access
::
MASTER
end
def
member?
(
user
,
min_member_access
=
Gitlab
::
Access
::
GUEST
)
max_member_access
(
user
.
id
)
>=
min_member_access
# Checks if `user` is authorized for this project, with at least the
# `min_access_level` (if given).
def
member?
(
user
,
min_access_level
=
Gitlab
::
Access
::
GUEST
)
return
false
unless
user
user
.
authorized_project?
(
project
,
min_access_level
)
end
def
human_max_access
(
user_id
)
...
...
@@ -165,112 +169,29 @@ class ProjectTeam
# Lookup only the IDs we need
user_ids
=
user_ids
-
access
.
keys
users_access
=
project
.
project_authorizations
.
where
(
user:
user_ids
).
group
(
:user_id
).
maximum
(
:access_level
)
if
user_ids
.
present?
user_ids
.
each
{
|
id
|
access
[
id
]
=
Gitlab
::
Access
::
NO_ACCESS
}
member_access
=
project
.
members
.
access_for_user_ids
(
user_ids
)
merge_max!
(
access
,
member_access
)
if
group
group_access
=
group
.
members
.
access_for_user_ids
(
user_ids
)
merge_max!
(
access
,
group_access
)
end
# Each group produces a list of maximum access level per user. We take the
# max of the values produced by each group.
if
project_shared_with_group?
project
.
project_group_links
.
each
do
|
group_link
|
invited_access
=
max_invited_level_for_users
(
group_link
,
user_ids
)
merge_max!
(
access
,
invited_access
)
end
end
end
access
.
merge!
(
users_access
)
access
end
def
max_member_access
(
user_id
)
max_member_access_for_user_ids
([
user_id
])[
user_id
]
max_member_access_for_user_ids
([
user_id
])[
user_id
]
||
Gitlab
::
Access
::
NO_ACCESS
end
private
# For a given group, return the maximum access level for the user. This is the min of
# the invited access level of the group and the access level of the user within the group.
# For example, if the group has been given DEVELOPER access but the member has MASTER access,
# the user should receive only DEVELOPER access.
def
max_invited_level_for_users
(
group_link
,
user_ids
)
invited_group
=
group_link
.
group
capped_access_level
=
group_link
.
group_access
access
=
invited_group
.
group_members
.
access_for_user_ids
(
user_ids
)
# If the user is not in the list, assume he/she does not have access
missing_users
=
user_ids
-
access
.
keys
missing_users
.
each
{
|
id
|
access
[
id
]
=
Gitlab
::
Access
::
NO_ACCESS
}
# Cap the maximum access by the invited level access
access
.
each
{
|
key
,
value
|
access
[
key
]
=
[
value
,
capped_access_level
].
min
}
end
def
fetch_members
(
level
=
nil
)
project_members
=
project
.
members
group_members
=
group
?
group
.
members
:
[]
if
level
project_members
=
project_members
.
public_send
(
level
)
group_members
=
group_members
.
public_send
(
level
)
if
group
end
user_ids
=
project_members
.
pluck
(
:user_id
)
invited_members
=
fetch_invited_members
(
level
)
user_ids
.
push
(
*
invited_members
.
map
(
&
:user_id
))
if
invited_members
.
any?
user_ids
.
push
(
*
group_members
.
pluck
(
:user_id
))
if
group
members
=
project
.
authorized_users
members
=
members
.
where
(
project_authorizations:
{
access_level:
level
})
if
level
User
.
where
(
id:
user_ids
)
members
end
def
group
project
.
group
end
def
merge_max!
(
first_hash
,
second_hash
)
first_hash
.
merge!
(
second_hash
)
{
|
_key
,
old
,
new
|
old
>
new
?
old
:
new
}
end
def
project_shared_with_group?
project
.
invited_groups
.
any?
&&
project
.
allowed_to_share_with_group?
end
def
fetch_invited_members
(
level
=
nil
)
invited_members
=
[]
return
invited_members
unless
project_shared_with_group?
project
.
project_group_links
.
includes
(
group:
[
:group_members
]).
each
do
|
link
|
invited_group_members
=
link
.
group
.
members
if
level
numeric_level
=
GroupMember
.
access_level_roles
[
level
.
to_s
.
singularize
.
titleize
]
# If we're asked for a level that's higher than the group's access,
# there's nothing left to do
next
if
numeric_level
>
link
.
group_access
# Make sure we include everyone _above_ the requested level as well
invited_group_members
=
if
numeric_level
==
link
.
group_access
invited_group_members
.
where
(
"access_level >= ?"
,
link
.
group_access
)
else
invited_group_members
.
public_send
(
level
)
end
end
invited_members
<<
invited_group_members
end
invited_members
.
flatten
.
compact
end
end
app/models/user.rb
View file @
ba0d4877
...
...
@@ -926,7 +926,7 @@ class User < ActiveRecord::Base
# Returns a union query of projects that the user is authorized to access
def
project_authorizations_union
relations
=
[
personal_projects
.
select
(
"
#{
id
}
AS user_id, projects.id AS project_id,
#{
Gitlab
::
Access
::
OWN
ER
}
AS access_level"
),
personal_projects
.
select
(
"
#{
id
}
AS user_id, projects.id AS project_id,
#{
Gitlab
::
Access
::
MAST
ER
}
AS access_level"
),
groups_projects
.
select_for_project_authorization
,
projects
.
select_for_project_authorization
,
groups
.
joins
(
:shared_projects
).
select_for_project_authorization
...
...
changelogs/unreleased/fix-drop-project-authorized-for-user.yml
0 → 100644
View file @
ba0d4877
---
title
:
Use authorized projects in ProjectTeam
merge_request
:
author
:
db/fixtures/development/06_teams.rb
View file @
ba0d4877
Gitlab
::
Seeder
.
quiet
do
require
'sidekiq/testing'
require
'./db/fixtures/support/serialized_transaction'
Sidekiq
::
Testing
.
inline!
do
Gitlab
::
Seeder
.
quiet
do
Group
.
all
.
each
do
|
group
|
User
.
all
.
sample
(
4
).
each
do
|
user
|
if
group
.
add_user
(
user
,
Gitlab
::
Access
.
values
.
sample
).
persisted?
...
...
@@ -18,4 +22,5 @@ Gitlab::Seeder.quiet do
end
end
end
end
end
spec/helpers/members_helper_spec.rb
View file @
ba0d4877
...
...
@@ -10,7 +10,7 @@ describe MembersHelper do
end
describe
'#remove_member_message'
do
let
(
:requester
)
{
build
(
:user
)
}
let
(
:requester
)
{
create
(
:user
)
}
let
(
:project
)
{
create
(
:empty_project
,
:public
,
:access_requestable
)
}
let
(
:project_member
)
{
build
(
:project_member
,
project:
project
)
}
let
(
:project_member_invite
)
{
build
(
:project_member
,
project:
project
).
tap
{
|
m
|
m
.
generate_invite_token!
}
}
...
...
@@ -31,7 +31,7 @@ describe MembersHelper do
end
describe
'#remove_member_title'
do
let
(
:requester
)
{
build
(
:user
)
}
let
(
:requester
)
{
create
(
:user
)
}
let
(
:project
)
{
create
(
:empty_project
,
:public
,
:access_requestable
)
}
let
(
:project_member
)
{
build
(
:project_member
,
project:
project
)
}
let
(
:project_member_request
)
{
project
.
request_access
(
requester
)
}
...
...
spec/lib/gitlab/import_export/all_models.yml
View file @
ba0d4877
...
...
@@ -186,6 +186,8 @@ project:
-
environments
-
deployments
-
project_feature
-
authorized_users
-
project_authorizations
award_emoji
:
-
awardable
-
user
...
...
spec/models/issue_spec.rb
View file @
ba0d4877
...
...
@@ -331,7 +331,7 @@ describe Issue, models: true do
end
context
'with a user'
do
let
(
:user
)
{
build
(
:user
)
}
let
(
:user
)
{
create
(
:user
)
}
let
(
:issue
)
{
build
(
:issue
)
}
it
'returns true when the issue is readable'
do
...
...
spec/models/project_spec.rb
View file @
ba0d4877
...
...
@@ -1507,57 +1507,6 @@ describe Project, models: true do
end
end
describe
'authorized_for_user'
do
let
(
:group
)
{
create
(
:group
)
}
let
(
:developer
)
{
create
(
:user
)
}
let
(
:master
)
{
create
(
:user
)
}
let
(
:personal_project
)
{
create
(
:project
,
namespace:
developer
.
namespace
)
}
let
(
:group_project
)
{
create
(
:project
,
namespace:
group
)
}
let
(
:members_project
)
{
create
(
:project
)
}
let
(
:shared_project
)
{
create
(
:project
)
}
before
do
group
.
add_master
(
master
)
group
.
add_developer
(
developer
)
members_project
.
team
<<
[
developer
,
:developer
]
members_project
.
team
<<
[
master
,
:master
]
create
(
:project_group_link
,
project:
shared_project
,
group:
group
,
group_access:
Gitlab
::
Access
::
DEVELOPER
)
end
it
'returns false for no user'
do
expect
(
personal_project
.
authorized_for_user?
(
nil
)).
to
be
(
false
)
end
it
'returns true for personal projects of the user'
do
expect
(
personal_project
.
authorized_for_user?
(
developer
)).
to
be
(
true
)
end
it
'returns true for projects of groups the user is a member of'
do
expect
(
group_project
.
authorized_for_user?
(
developer
)).
to
be
(
true
)
end
it
'returns true for projects for which the user is a member of'
do
expect
(
members_project
.
authorized_for_user?
(
developer
)).
to
be
(
true
)
end
it
'returns true for projects shared on a group the user is a member of'
do
expect
(
shared_project
.
authorized_for_user?
(
developer
)).
to
be
(
true
)
end
it
'checks for the correct minimum level access'
do
expect
(
group_project
.
authorized_for_user?
(
developer
,
Gitlab
::
Access
::
MASTER
)).
to
be
(
false
)
expect
(
group_project
.
authorized_for_user?
(
master
,
Gitlab
::
Access
::
MASTER
)).
to
be
(
true
)
expect
(
members_project
.
authorized_for_user?
(
developer
,
Gitlab
::
Access
::
MASTER
)).
to
be
(
false
)
expect
(
members_project
.
authorized_for_user?
(
master
,
Gitlab
::
Access
::
MASTER
)).
to
be
(
true
)
expect
(
shared_project
.
authorized_for_user?
(
developer
,
Gitlab
::
Access
::
MASTER
)).
to
be
(
false
)
expect
(
shared_project
.
authorized_for_user?
(
master
,
Gitlab
::
Access
::
MASTER
)).
to
be
(
false
)
expect
(
shared_project
.
authorized_for_user?
(
developer
,
Gitlab
::
Access
::
DEVELOPER
)).
to
be
(
true
)
expect
(
shared_project
.
authorized_for_user?
(
master
,
Gitlab
::
Access
::
DEVELOPER
)).
to
be
(
true
)
end
end
describe
'change_head'
do
let
(
:project
)
{
create
(
:project
)
}
...
...
spec/models/project_team_spec.rb
View file @
ba0d4877
...
...
@@ -37,7 +37,7 @@ describe ProjectTeam, models: true do
context
'group project'
do
let
(
:group
)
{
create
(
:group
)
}
let
(
:project
)
{
create
(
:empty_project
,
group:
group
)
}
let
!
(
:project
)
{
create
(
:empty_project
,
group:
group
)
}
before
do
group
.
add_master
(
master
)
...
...
@@ -118,7 +118,7 @@ describe ProjectTeam, models: true do
context
'group project'
do
let
(
:group
)
{
create
(
:group
)
}
let
(
:project
)
{
create
(
:empty_project
,
group:
group
)
}
let
!
(
:project
)
{
create
(
:empty_project
,
group:
group
)
}
it
'returns project members'
do
group_member
=
create
(
:group_member
,
group:
group
)
...
...
@@ -178,9 +178,9 @@ describe ProjectTeam, models: true do
it
'returns Master role'
do
user
=
create
(
:user
)
group
=
create
(
:group
)
group
.
add_master
(
user
)
project
=
create
(
:empty_project
,
namespace:
group
)
project
=
build_stubbed
(
:empty_project
,
namespace:
group
)
group
.
add_master
(
user
)
expect
(
project
.
team
.
human_max_access
(
user
.
id
)).
to
eq
'Master'
end
...
...
@@ -188,9 +188,9 @@ describe ProjectTeam, models: true do
it
'returns Owner role'
do
user
=
create
(
:user
)
group
=
create
(
:group
)
group
.
add_owner
(
user
)
project
=
create
(
:empty_project
,
namespace:
group
)
project
=
build_stubbed
(
:empty_project
,
namespace:
group
)
group
.
add_owner
(
user
)
expect
(
project
.
team
.
human_max_access
(
user
.
id
)).
to
eq
'Owner'
end
...
...
@@ -244,7 +244,7 @@ describe ProjectTeam, models: true do
context
'group project'
do
let
(
:group
)
{
create
(
:group
,
:access_requestable
)
}
let
(
:project
)
{
create
(
:empty_project
,
group:
group
)
}
let
!
(
:project
)
{
create
(
:empty_project
,
group:
group
)
}
before
do
group
.
add_master
(
master
)
...
...
@@ -261,6 +261,57 @@ describe ProjectTeam, models: true do
end
end
describe
'#member?'
do
let
(
:group
)
{
create
(
:group
)
}
let
(
:developer
)
{
create
(
:user
)
}
let
(
:master
)
{
create
(
:user
)
}
let
(
:personal_project
)
{
create
(
:project
,
namespace:
developer
.
namespace
)
}
let
(
:group_project
)
{
create
(
:project
,
namespace:
group
)
}
let
(
:members_project
)
{
create
(
:project
)
}
let
(
:shared_project
)
{
create
(
:project
)
}
before
do
group
.
add_master
(
master
)
group
.
add_developer
(
developer
)
members_project
.
team
<<
[
developer
,
:developer
]
members_project
.
team
<<
[
master
,
:master
]
create
(
:project_group_link
,
project:
shared_project
,
group:
group
)
end
it
'returns false for no user'
do
expect
(
personal_project
.
team
.
member?
(
nil
)).
to
be
(
false
)
end
it
'returns true for personal projects of the user'
do
expect
(
personal_project
.
team
.
member?
(
developer
)).
to
be
(
true
)
end
it
'returns true for projects of groups the user is a member of'
do
expect
(
group_project
.
team
.
member?
(
developer
)).
to
be
(
true
)
end
it
'returns true for projects for which the user is a member of'
do
expect
(
members_project
.
team
.
member?
(
developer
)).
to
be
(
true
)
end
it
'returns true for projects shared on a group the user is a member of'
do
expect
(
shared_project
.
team
.
member?
(
developer
)).
to
be
(
true
)
end
it
'checks for the correct minimum level access'
do
expect
(
group_project
.
team
.
member?
(
developer
,
Gitlab
::
Access
::
MASTER
)).
to
be
(
false
)
expect
(
group_project
.
team
.
member?
(
master
,
Gitlab
::
Access
::
MASTER
)).
to
be
(
true
)
expect
(
members_project
.
team
.
member?
(
developer
,
Gitlab
::
Access
::
MASTER
)).
to
be
(
false
)
expect
(
members_project
.
team
.
member?
(
master
,
Gitlab
::
Access
::
MASTER
)).
to
be
(
true
)
expect
(
shared_project
.
team
.
member?
(
developer
,
Gitlab
::
Access
::
MASTER
)).
to
be
(
false
)
expect
(
shared_project
.
team
.
member?
(
master
,
Gitlab
::
Access
::
MASTER
)).
to
be
(
false
)
expect
(
shared_project
.
team
.
member?
(
developer
,
Gitlab
::
Access
::
DEVELOPER
)).
to
be
(
true
)
expect
(
shared_project
.
team
.
member?
(
master
,
Gitlab
::
Access
::
DEVELOPER
)).
to
be
(
true
)
end
end
shared_examples_for
"#max_member_access_for_users"
do
|
enable_request_store
|
describe
"#max_member_access_for_users"
do
before
do
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment