Make Members with Owner and Master roles always able to create subgroups

1 files changed, 29 insertions, 9 deletions

diff --git a/app/services/groups/create_service.rb b/app/services/groups/create_service.rb
index c7c27621085..70e50aa0f12 100644
--- a/app/services/groups/create_service.rb
+++ b/app/services/groups/create_service.rb
@@ -8,15 +8,7 @@ module Groups
     def execute
       @group = Group.new(params)
 
-      unless Gitlab::VisibilityLevel.allowed_for?(current_user, params[:visibility_level])
-        deny_visibility_level(@group)
-        return @group
-      end
-
-      if @group.parent && !can?(current_user, :create_subgroup, @group.parent)
-        @group.parent = nil
-        @group.errors.add(:parent_id, 'You don’t have permission to create a subgroup in this group.')
-
+      unless can_use_visibility_level? && can_create_group?
         return @group
       end
 
@@ -39,5 +31,33 @@ module Groups
     def create_chat_team?
       Gitlab.config.mattermost.enabled && @chat_team && group.chat_team.nil?
     end
+
+    def can_create_group?
+      if @group.subgroup?
+        unless can?(current_user, :create_subgroup, @group.parent)
+          @group.parent = nil
+          @group.errors.add(:parent_id, 'You don’t have permission to create a subgroup in this group.')
+
+          return false
+        end
+      else
+        unless can?(current_user, :create_group)
+          @group.errors.add(:base, 'You don’t have permission to create groups.')
+
+          return false
+        end
+      end
+
+      true
+    end
+
+    def can_use_visibility_level?
+      unless Gitlab::VisibilityLevel.allowed_for?(current_user, params[:visibility_level])
+        deny_visibility_level(@group)
+        return false
+      end
+
+      true
+    end
   end
 end