Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-05-30 15:08:23 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-05-30 15:08:23 +0300
commit: f1284938edfc2e033baf2c26ebadf42c526f6432 (patch)
tree: 1537dfd31ad896605914c9e5aa57351d67260b1f /app/services/concerns
parent: bf774d67fc8a84f76f20494c318d7cfacb0c69ac (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/app/services/concerns/members/bulk_create_users.rb b/app/services/concerns/members/bulk_create_users.rb
index e60c84af89e..5b2cd0a2e43 100644
--- a/app/services/concerns/members/bulk_create_users.rb
+++ b/app/services/concerns/members/bulk_create_users.rb
@@ -9,6 +9,9 @@ module Members
         def add_users(source, users, access_level, current_user: nil, expires_at: nil, tasks_to_be_done: [], tasks_project_id: nil)
           return [] unless users.present?
 
+          # If this user is attempting to manage Owner members and doesn't have permission, do not allow
+          return [] if managing_owners?(current_user, access_level) && cannot_manage_owners?(source, current_user)
+
           emails, users, existing_members = parse_users_list(source, users)
 
           Member.transaction do
@@ -28,6 +31,10 @@ module Members
 
         private
 
+        def managing_owners?(current_user, access_level)
+          current_user && Gitlab::Access.sym_options_with_owner[access_level] == Gitlab::Access::OWNER
+        end
+
         def parse_users_list(source, list)
           emails = []
           user_ids = []
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-05-30 15:08:23 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-05-30 15:08:23 +0300
commit	f1284938edfc2e033baf2c26ebadf42c526f6432 (patch)
tree	1537dfd31ad896605914c9e5aa57351d67260b1f /app/services/concerns
parent	bf774d67fc8a84f76f20494c318d7cfacb0c69ac (diff)