4 files changed, 35 insertions, 8 deletions
diff --git a/app/services/groups/create_service.rb b/app/services/groups/create_service.rb
index 8e8efe7d555..f900927793a 100644
--- a/app/services/groups/create_service.rb
+++ b/app/services/groups/create_service.rb
@@ -28,7 +28,7 @@ module Groups
       @group.name ||= @group.path.dup
 
       if create_chat_team?
-        response = Mattermost::CreateTeamService.new(@group, current_user).execute
+        response = ::Mattermost::CreateTeamService.new(@group, current_user).execute
         return @group if @group.errors.any?
 
         @group.build_chat_team(name: response['name'], team_id: response['id'])
diff --git a/app/services/groups/group_links/create_service.rb b/app/services/groups/group_links/create_service.rb
index 0a60140d037..5f81e5972b0 100644
--- a/app/services/groups/group_links/create_service.rb
+++ b/app/services/groups/group_links/create_service.rb
@@ -3,27 +3,51 @@
 module Groups
   module GroupLinks
     class CreateService < Groups::BaseService
-      def execute(shared_group)
-        unless group && shared_group &&
+      def initialize(shared_group, shared_with_group, user, params)
+        @shared_group = shared_group
+        super(shared_with_group, user, params)
+      end
+
+      def execute
+        unless shared_with_group && shared_group &&
                can?(current_user, :admin_group_member, shared_group) &&
-               can?(current_user, :read_group, group)
+               can?(current_user, :read_group, shared_with_group) &&
+               sharing_allowed?
           return error('Not Found', 404)
         end
 
         link = GroupGroupLink.new(
           shared_group: shared_group,
-          shared_with_group: group,
+          shared_with_group: shared_with_group,
           group_access: params[:shared_group_access],
           expires_at: params[:expires_at]
         )
 
         if link.save
-          group.refresh_members_authorized_projects(direct_members_only: true)
+          shared_with_group.refresh_members_authorized_projects(direct_members_only: true)
           success(link: link)
         else
           error(link.errors.full_messages.to_sentence, 409)
         end
       end
+
+      private
+
+      attr_reader :shared_group
+
+      alias_method :shared_with_group, :group
+
+      def sharing_allowed?
+        sharing_outside_hierarchy_allowed? || within_hierarchy?
+      end
+
+      def sharing_outside_hierarchy_allowed?
+        !shared_group.root_ancestor.namespace_settings.prevent_sharing_groups_outside_hierarchy
+      end
+
+      def within_hierarchy?
+        shared_group.root_ancestor.self_and_descendants_ids.include?(shared_with_group.id)
+      end
     end
   end
 end
diff --git a/app/services/groups/participants_service.rb b/app/services/groups/participants_service.rb
index 0844c98dd6a..1de2b3c5a2e 100644
--- a/app/services/groups/participants_service.rb
+++ b/app/services/groups/participants_service.rb
@@ -23,9 +23,9 @@ module Groups
     end
 
     def group_members
-      return [] unless noteable
+      return [] unless group
 
-      @group_members ||= sorted(noteable.group.direct_and_indirect_users)
+      @group_members ||= sorted(group.direct_and_indirect_users)
     end
   end
 end
diff --git a/app/services/groups/transfer_service.rb b/app/services/groups/transfer_service.rb
index 56ff1310def..518d061c654 100644
--- a/app/services/groups/transfer_service.rb
+++ b/app/services/groups/transfer_service.rb
@@ -108,10 +108,13 @@ module Groups
 
       @group.parent = @new_parent_group
       @group.clear_memoization(:self_and_ancestors_ids)
+      @group.clear_memoization(:root_ancestor) if different_root_ancestor?
 
       inherit_group_shared_runners_settings
 
       @group.save!
+      # #reload is called to make sure traversal_ids are reloaded
+      @group.reload # rubocop:disable Cop/ActiveRecordAssociationReload
     end
 
     # rubocop: disable CodeReuse/ActiveRecord