From 148816cd67a314f17e79c107270cc708501bdd39 Mon Sep 17 00:00:00 2001
From: Bob Van Landuyt <bob@vanlanduyt.co>
Date: Mon, 11 Dec 2017 15:21:06 +0100
Subject: Port `read_cross_project` ability from EE

---
 app/serializers/group_child_entity.rb | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

(limited to 'app/serializers/group_child_entity.rb')

diff --git a/app/serializers/group_child_entity.rb b/app/serializers/group_child_entity.rb
index aca4e4ca488..15ec0f89bb2 100644
--- a/app/serializers/group_child_entity.rb
+++ b/app/serializers/group_child_entity.rb
@@ -11,9 +11,7 @@ class GroupChildEntity < Grape::Entity
   end
 
   expose :can_edit do |instance|
-    return false unless request.respond_to?(:current_user)
-
-    can?(request.current_user, "admin_#{type}", instance)
+    can_edit?
   end
 
   expose :edit_path do |instance|
@@ -83,4 +81,17 @@ class GroupChildEntity < Grape::Entity
   def markdown_description
     markdown_field(object, :description)
   end
+
+  def can_edit?
+    return false unless request.respond_to?(:current_user)
+
+    if project?
+      # Avoid checking rights for each project, as it might be expensive if the
+      # user cannot read cross project.
+      can?(request.current_user, :read_cross_project) &&
+        can?(request.current_user, :admin_project, object)
+    else
+      can?(request.current_user, :admin_group, object)
+    end
+  end
 end
-- 
cgit v1.2.3