Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app/services/members/projects/creator_service.rb
diff options
context:
space:
mode:
Diffstat (limited to 'app/services/members/projects/creator_service.rb')
-rw-r--r--app/services/members/projects/creator_service.rb24
1 files changed, 24 insertions, 0 deletions
diff --git a/app/services/members/projects/creator_service.rb b/app/services/members/projects/creator_service.rb
index 9e9389d3c18..cde1d0462e8 100644
--- a/app/services/members/projects/creator_service.rb
+++ b/app/services/members/projects/creator_service.rb
@@ -3,9 +3,18 @@
module Members
module Projects
class CreatorService < Members::CreatorService
+ class << self
+ def cannot_manage_owners?(source, current_user)
+ !Ability.allowed?(current_user, :manage_owners, source)
+ end
+ end
+
private
def can_create_new_member?
+ return false if assigning_project_member_with_owner_access_level? &&
+ cannot_assign_owner_responsibilities_to_member_in_project?
+
# This access check(`admin_project_member`) will write to safe request store cache for the user being added.
# This means any operations inside the same request will need to purge that safe request
# store cache if operations are needed to be done inside the same request that checks max member access again on
@@ -14,6 +23,11 @@ module Members
end
def can_update_existing_member?
+ # rubocop:disable Layout/EmptyLineAfterGuardClause
+ raise ::Gitlab::Access::AccessDeniedError if assigning_project_member_with_owner_access_level? &&
+ cannot_assign_owner_responsibilities_to_member_in_project?
+ # rubocop:enable Layout/EmptyLineAfterGuardClause
+
current_user.can?(:update_project_member, member)
end
@@ -21,6 +35,16 @@ module Members
# this condition is reached during testing setup a lot due to use of `.add_user`
member.project.personal_namespace_holder?(member.user)
end
+
+ def assigning_project_member_with_owner_access_level?
+ return true if member && member.owner?
+
+ access_level == Gitlab::Access::OWNER
+ end
+
+ def cannot_assign_owner_responsibilities_to_member_in_project?
+ member.is_a?(ProjectMember) && !current_user.can?(:manage_owners, member.source)
+ end
end
end
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-15 02:24:29 +0300