Add latest changes from gitlab-org/security/gitlab@14-4-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-10-27 13:15:59 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-10-27 13:16:27 +0300
commit: eff560cfb9a337623d25b912d9bb233fae25fbf1 (patch)
tree: dd96ba1b42ddc1cdc588c0ff4096a4d47d0b5e0d /app
parent: 14b92217e768aa4f3ce2d8b30f2c2acbdfdd8f6a (diff)
4 files changed, 16 insertions, 2 deletions
diff --git a/app/models/concerns/resolvable_discussion.rb b/app/models/concerns/resolvable_discussion.rb
index 3e1e5faee54..60e1dde17b9 100644
--- a/app/models/concerns/resolvable_discussion.rb
+++ b/app/models/concerns/resolvable_discussion.rb
@@ -81,8 +81,7 @@ module ResolvableDiscussion
     return false unless current_user
     return false unless resolvable?
 
-    current_user == self.noteable.try(:author) ||
-      current_user.can?(:resolve_note, self.project)
+    current_user.can?(:resolve_note, self.noteable)
   end
 
   def resolve!(current_user)
diff --git a/app/models/project_group_link.rb b/app/models/project_group_link.rb
index d704f4c2c87..8394ebe1df4 100644
--- a/app/models/project_group_link.rb
+++ b/app/models/project_group_link.rb
@@ -15,6 +15,7 @@ class ProjectGroupLink < ApplicationRecord
   validate :different_group
 
   scope :non_guests, -> { where('group_access > ?', Gitlab::Access::GUEST) }
+  scope :in_group, -> (group_ids) { where(group_id: group_ids) }
 
   alias_method :shared_with_group, :group
 
diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb
index 61263e47d7c..39ce26526e6 100644
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -11,6 +11,8 @@ class IssuablePolicy < BasePolicy
     @user && @subject.assignee_or_author?(@user)
   end
 
+  condition(:is_author) { @subject&.author == @user }
+
   rule { can?(:guest_access) & assignee_or_author }.policy do
     enable :read_issue
     enable :update_issue
@@ -20,6 +22,10 @@ class IssuablePolicy < BasePolicy
     enable :reopen_merge_request
   end
 
+  rule { is_author }.policy do
+    enable :resolve_note
+  end
+
   rule { locked & ~is_project_member }.policy do
     prevent :create_note
     prevent :admin_note
diff --git a/app/services/groups/transfer_service.rb b/app/services/groups/transfer_service.rb
index 774f81b0a5e..334083a859f 100644
--- a/app/services/groups/transfer_service.rb
+++ b/app/services/groups/transfer_service.rb
@@ -182,6 +182,14 @@ module Groups
 
       # schedule refreshing projects for all the members of the group
       @group.refresh_members_authorized_projects
+
+      # When a group is transferred, it also affects who gets access to the projects shared to
+      # the subgroups within its hierarchy, so we also schedule jobs that refresh authorizations for all such shared projects.
+      project_group_shares_within_the_hierarchy = ProjectGroupLink.in_group(group.self_and_descendants.select(:id))
+
+      project_group_shares_within_the_hierarchy.find_each do |project_group_link|
+        AuthorizedProjectUpdate::ProjectRecalculateWorker.perform_async(project_group_link.project_id)
+      end
     end
 
     def raise_transfer_error(message)
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-10-27 13:15:59 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-10-27 13:16:27 +0300
commit	eff560cfb9a337623d25b912d9bb233fae25fbf1 (patch)
tree	dd96ba1b42ddc1cdc588c0ff4096a4d47d0b5e0d /app
parent	14b92217e768aa4f3ce2d8b30f2c2acbdfdd8f6a (diff)