diff --git a/app/policies/group_group_link_policy.rb b/app/policies/group_group_link_policy.rb
index 0108f0b7fcaa987985e96fca50616c9453b74349..0d82bdd89375286ff4827f0c5361f9e548074d7e 100644
--- a/app/policies/group_group_link_policy.rb
+++ b/app/policies/group_group_link_policy.rb
@@ -2,7 +2,7 @@
class GroupGroupLinkPolicy < ::BasePolicy # rubocop:disable Gitlab/NamespacedClass
condition(:can_read_shared_with_group) { can?(:read_group, @subject.shared_with_group) }
- condition(:group_member) { @subject.shared_group.member?(@user) }
+ condition(:group_admin) { can?(:admin_group, @subject.shared_group) }
- rule { can_read_shared_with_group | group_member }.enable :read_shared_with_group
+ rule { can_read_shared_with_group | group_admin }.enable :read_shared_with_group
end
diff --git a/app/policies/project_group_link_policy.rb b/app/policies/project_group_link_policy.rb
index 98d5bdebdc916b3c22450ff039dd8b27b12f29fa..d7233faac4760f1ceddb1bd67a34e23caf6b5422 100644
--- a/app/policies/project_group_link_policy.rb
+++ b/app/policies/project_group_link_policy.rb
@@ -4,7 +4,6 @@ class ProjectGroupLinkPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedCla
condition(:group_owner) { group_owner? }
condition(:group_owner_or_project_admin) { group_owner? || project_admin? }
condition(:can_read_group) { can?(:read_group, @subject.group) }
- condition(:project_member) { @subject.project.member?(@user) }
condition(:can_manage_owners) { can_manage_owners? }
condition(:can_manage_group_link_with_owner_access) do
next true unless @subject.owner_access?
@@ -26,7 +25,7 @@ class ProjectGroupLinkPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedCla
enable :destroy_project_group_link
end
- rule { can_read_group | project_member }.enable :read_shared_with_group
+ rule { can_read_group | group_owner_or_project_admin }.enable :read_shared_with_group
private
diff --git a/spec/policies/group_group_link_policy_spec.rb b/spec/policies/group_group_link_policy_spec.rb
index 34bc1bc3bec23301456d5c84985002b784fe05b1..c9e6ae4da1660966129e41075254ea93440dd944 100644
--- a/spec/policies/group_group_link_policy_spec.rb
+++ b/spec/policies/group_group_link_policy_spec.rb
@@ -15,12 +15,24 @@
describe 'read_shared_with_group' do
context 'when the user is a shared_group member' do
- before_all do
- group.add_guest(user)
+ context 'when the user is not a shared_group owner' do
+ before_all do
+ group.add_maintainer(user)
+ end
+
+ it 'cannot read_shared_with_group' do
+ expect(policy).to be_disallowed(:read_shared_with_group)
+ end
end
- it 'can read_shared_with_group' do
- expect(policy).to be_allowed(:read_shared_with_group)
+ context 'when the user is a shared_group owner' do
+ before_all do
+ group.add_owner(user)
+ end
+
+ it 'can read_shared_with_group' do
+ expect(policy).to be_allowed(:read_shared_with_group)
+ end
end
end
diff --git a/spec/policies/project_group_link_policy_spec.rb b/spec/policies/project_group_link_policy_spec.rb
index 9fcd6ead524611ae8dcbe3d6ae42aa28971f53b0..302350aed2cea36aaa8cb09360e60e4b16022c44 100644
--- a/spec/policies/project_group_link_policy_spec.rb
+++ b/spec/policies/project_group_link_policy_spec.rb
@@ -129,12 +129,24 @@
end
context 'when the user is a project member' do
- before_all do
- project.add_guest(user)
+ context 'when the user is not a project admin' do
+ before_all do
+ project.add_guest(user)
+ end
+
+ it 'cannot read_shared_with_group' do
+ expect(policy).to be_disallowed(:read_shared_with_group)
+ end
end
- it 'can read_shared_with_group' do
- expect(policy).to be_allowed(:read_shared_with_group)
+ context 'when the user is a project admin' do
+ before_all do
+ project.add_maintainer(user)
+ end
+
+ it 'can read_shared_with_group' do
+ expect(policy).to be_allowed(:read_shared_with_group)
+ end
end
end