Merge branch '144638-mask-group-detail-from-non-owners' into 'master'

Hide invited group name and source from project/group non-admins See merge request https://gitlab.com/gitlab-org/gitlab/-/merge_requests/147629 Merged-by: Huzaifa Iftikhar <hiftikhar@gitlab.com> Approved-by: Jarka Košanová <jarka@gitlab.com> Approved-by: Huzaifa Iftikhar <hiftikhar@gitlab.com> Co-authored-by: Abdul Wadood <awadood@gitlab.com>

Merge branch '144638-mask-group-detail-from-non-owners' into 'master'
7b440ce1 · Huzaifa Iftikhar · GitLab · 91dc5411 · a984f85a · 7b440ce1
--- a/app/policies/group_group_link_policy.rb
+++ b/app/policies/group_group_link_policy.rb
@@ -2,7 +2,7 @@

 class GroupGroupLinkPolicy < ::BasePolicy # rubocop:disable Gitlab/NamespacedClass
  condition(:can_read_shared_with_group) { can?(:read_group, @subject.shared_with_group) }
-  condition(:group_member) { @subject.shared_group.member?(@user) }
+  condition(:group_admin) { can?(:admin_group, @subject.shared_group) }

-  rule { can_read_shared_with_group | group_member }.enable :read_shared_with_group
+  rule { can_read_shared_with_group | group_admin }.enable :read_shared_with_group
 end
--- a/app/policies/project_group_link_policy.rb
+++ b/app/policies/project_group_link_policy.rb
@@ -4,7 +4,6 @@ class ProjectGroupLinkPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedCla
  condition(:group_owner) { group_owner? }
  condition(:group_owner_or_project_admin) { group_owner? || project_admin? }
  condition(:can_read_group) { can?(:read_group, @subject.group) }
-  condition(:project_member) { @subject.project.member?(@user) }
  condition(:can_manage_owners) { can_manage_owners? }
  condition(:can_manage_group_link_with_owner_access) do
    next true unless @subject.owner_access?
@@ -26,7 +25,7 @@ class ProjectGroupLinkPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedCla
    enable :destroy_project_group_link
  end

-  rule { can_read_group | project_member }.enable :read_shared_with_group
+  rule { can_read_group | group_owner_or_project_admin }.enable :read_shared_with_group

  private


--- a/spec/policies/group_group_link_policy_spec.rb
+++ b/spec/policies/group_group_link_policy_spec.rb
@@ -15,12 +15,24 @@

  describe 'read_shared_with_group' do
    context 'when the user is a shared_group member' do
-      before_all do
-        group.add_guest(user)
+      context 'when the user is not a shared_group owner' do
+        before_all do
+          group.add_maintainer(user)
+        end
+
+        it 'cannot read_shared_with_group' do
+          expect(policy).to be_disallowed(:read_shared_with_group)
+        end
      end

-      it 'can read_shared_with_group' do
-        expect(policy).to be_allowed(:read_shared_with_group)
+      context 'when the user is a shared_group owner' do
+        before_all do
+          group.add_owner(user)
+        end
+
+        it 'can read_shared_with_group' do
+          expect(policy).to be_allowed(:read_shared_with_group)
+        end
      end
    end


--- a/spec/policies/project_group_link_policy_spec.rb
+++ b/spec/policies/project_group_link_policy_spec.rb
@@ -129,12 +129,24 @@
    end

    context 'when the user is a project member' do
-      before_all do
-        project.add_guest(user)
+      context 'when the user is not a project admin' do
+        before_all do
+          project.add_guest(user)
+        end
+
+        it 'cannot read_shared_with_group' do
+          expect(policy).to be_disallowed(:read_shared_with_group)
+        end
      end

-      it 'can read_shared_with_group' do
-        expect(policy).to be_allowed(:read_shared_with_group)
+      context 'when the user is a project admin' do
+        before_all do
+          project.add_maintainer(user)
+        end
+
+        it 'can read_shared_with_group' do
+          expect(policy).to be_allowed(:read_shared_with_group)
+        end
      end
    end