diff options
Diffstat (limited to 'app/services/members/projects/creator_service.rb')
-rw-r--r-- | app/services/members/projects/creator_service.rb | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/app/services/members/projects/creator_service.rb b/app/services/members/projects/creator_service.rb index 9e9389d3c18..cde1d0462e8 100644 --- a/app/services/members/projects/creator_service.rb +++ b/app/services/members/projects/creator_service.rb @@ -3,9 +3,18 @@ module Members module Projects class CreatorService < Members::CreatorService + class << self + def cannot_manage_owners?(source, current_user) + !Ability.allowed?(current_user, :manage_owners, source) + end + end + private def can_create_new_member? + return false if assigning_project_member_with_owner_access_level? && + cannot_assign_owner_responsibilities_to_member_in_project? + # This access check(`admin_project_member`) will write to safe request store cache for the user being added. # This means any operations inside the same request will need to purge that safe request # store cache if operations are needed to be done inside the same request that checks max member access again on @@ -14,6 +23,11 @@ module Members end def can_update_existing_member? + # rubocop:disable Layout/EmptyLineAfterGuardClause + raise ::Gitlab::Access::AccessDeniedError if assigning_project_member_with_owner_access_level? && + cannot_assign_owner_responsibilities_to_member_in_project? + # rubocop:enable Layout/EmptyLineAfterGuardClause + current_user.can?(:update_project_member, member) end @@ -21,6 +35,16 @@ module Members # this condition is reached during testing setup a lot due to use of `.add_user` member.project.personal_namespace_holder?(member.user) end + + def assigning_project_member_with_owner_access_level? + return true if member && member.owner? + + access_level == Gitlab::Access::OWNER + end + + def cannot_assign_owner_responsibilities_to_member_in_project? + member.is_a?(ProjectMember) && !current_user.can?(:manage_owners, member.source) + end end end end |