From a986819a7bce2002018dfafed3900dc3f2e8fb81 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Tue, 1 Sep 2020 16:52:41 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@13-3-stable-ee

---
 .../container_registry_authentication_service.rb   |  1 +
 app/services/members/destroy_service.rb            | 33 +++++++++++++++++++---
 2 files changed, 30 insertions(+), 4 deletions(-)

(limited to 'app/services')

diff --git a/app/services/auth/container_registry_authentication_service.rb b/app/services/auth/container_registry_authentication_service.rb
index 44a434f4402..831a25a637e 100644
--- a/app/services/auth/container_registry_authentication_service.rb
+++ b/app/services/auth/container_registry_authentication_service.rb
@@ -132,6 +132,7 @@ module Auth
 
     def can_access?(requested_project, requested_action)
       return false unless requested_project.container_registry_enabled?
+      return false if requested_project.repository_access_level == ::ProjectFeature::DISABLED
 
       case requested_action
       when 'pull'
diff --git a/app/services/members/destroy_service.rb b/app/services/members/destroy_service.rb
index fdd43260521..8cad065e6cc 100644
--- a/app/services/members/destroy_service.rb
+++ b/app/services/members/destroy_service.rb
@@ -18,6 +18,7 @@ module Members
       end
 
       delete_subresources(member) unless skip_subresources
+      delete_project_invitations_by(member) unless skip_subresources
       enqueue_delete_todos(member)
       enqueue_unassign_issuables(member) if unassign_issuables
 
@@ -39,24 +40,48 @@ module Members
 
       delete_project_members(member)
       delete_subgroup_members(member)
+      delete_invited_members(member)
     end
 
     def delete_project_members(member)
       groups = member.group.self_and_descendants
 
-      ProjectMember.in_namespaces(groups).with_user(member.user).each do |project_member|
-        self.class.new(current_user).execute(project_member, skip_authorization: @skip_auth)
-      end
+      destroy_project_members(ProjectMember.in_namespaces(groups).with_user(member.user))
     end
 
     def delete_subgroup_members(member)
       groups = member.group.descendants
 
-      GroupMember.of_groups(groups).with_user(member.user).each do |group_member|
+      destroy_group_members(GroupMember.of_groups(groups).with_user(member.user))
+    end
+
+    def delete_invited_members(member)
+      groups = member.group.self_and_descendants
+
+      destroy_group_members(GroupMember.of_groups(groups).not_accepted_invitations_by_user(member.user))
+
+      destroy_project_members(ProjectMember.in_namespaces(groups).not_accepted_invitations_by_user(member.user))
+    end
+
+    def destroy_project_members(members)
+      members.each do |project_member|
+        self.class.new(current_user).execute(project_member, skip_authorization: @skip_auth)
+      end
+    end
+
+    def destroy_group_members(members)
+      members.each do |group_member|
         self.class.new(current_user).execute(group_member, skip_authorization: @skip_auth, skip_subresources: true)
       end
     end
 
+    def delete_project_invitations_by(member)
+      return unless member.is_a?(ProjectMember) && member.user && member.project
+
+      members_to_delete = member.project.members.not_accepted_invitations_by_user(member.user)
+      destroy_project_members(members_to_delete)
+    end
+
     def can_destroy_member?(member)
       can?(current_user, destroy_member_permission(member), member)
     end
-- 
cgit v1.2.3