Hide invited group name and source from project/group non-admins

If a group invited to a project/group is not visible to the current user we mask the source. The visibility was determined by: 1. The current user can read the invited group. 2. The current user is a member of the shared group. We're changing point 2 above to: The current user is the admin of the shared group/project i.e. having at least maintainer access in the shared project or having owner access in the shared group. Changelog: changed

Hide invited group name and source from project/group non-admins
a984f85a · Abdul Wadood · b3dd2827 · a984f85a · a984f85a · a984f85a
--- a/app/policies/group_group_link_policy.rb
+++ b/app/policies/group_group_link_policy.rb
@@ -2,7 +2,7 @@
 class GroupGroupLinkPolicy < ::BasePolicy # rubocop:disable Gitlab/NamespacedClass
  condition(:can_read_shared_with_group) { can?(:read_group, @subject.shared_with_group) }
-  condition(:group_member) { @subject.shared_group.member?(@user) }
+  condition(:group_admin) { can?(:admin_group, @subject.shared_group) }
-  rule { can_read_shared_with_group | group_member }.enable :read_shared_with_group
+  rule { can_read_shared_with_group | group_admin }.enable :read_shared_with_group
 end
--- a/app/policies/project_group_link_policy.rb
+++ b/app/policies/project_group_link_policy.rb
@@ -4,7 +4,6 @@ class ProjectGroupLinkPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedCla
  condition(:group_owner) { group_owner? }
  condition(:group_owner_or_project_admin) { group_owner? || project_admin? }
  condition(:can_read_group) { can?(:read_group, @subject.group) }
-  condition(:project_member) { @subject.project.member?(@user) }
  condition(:can_manage_owners) { can_manage_owners? }
  condition(:can_manage_group_link_with_owner_access) do
    next true unless @subject.owner_access?
@@ -26,7 +25,7 @@ class ProjectGroupLinkPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedCla
    enable :destroy_project_group_link
  end
-  rule { can_read_group | project_member }.enable :read_shared_with_group
+  rule { can_read_group | group_owner_or_project_admin }.enable :read_shared_with_group
  private

--- a/spec/policies/group_group_link_policy_spec.rb
+++ b/spec/policies/group_group_link_policy_spec.rb
@@ -15,12 +15,24 @@
  describe 'read_shared_with_group' do
    context 'when the user is a shared_group member' do
-      before_all do
+      context 'when the user is not a shared_group owner' do
-        group.add_guest(user)
+        before_all do
+          group.add_maintainer(user)
+        end
+        it 'cannot read_shared_with_group' do
+          expect(policy).to be_disallowed(:read_shared_with_group)
+        end
      end
-      it 'can read_shared_with_group' do
+      context 'when the user is a shared_group owner' do
-        expect(policy).to be_allowed(:read_shared_with_group)
+        before_all do
+          group.add_owner(user)
+        end
+        it 'can read_shared_with_group' do
+          expect(policy).to be_allowed(:read_shared_with_group)
+        end
      end
    end

--- a/spec/policies/project_group_link_policy_spec.rb
+++ b/spec/policies/project_group_link_policy_spec.rb
@@ -129,12 +129,24 @@
    end
    context 'when the user is a project member' do
-      before_all do
+      context 'when the user is not a project admin' do
-        project.add_guest(user)
+        before_all do
+          project.add_guest(user)
+        end
+        it 'cannot read_shared_with_group' do
+          expect(policy).to be_disallowed(:read_shared_with_group)
+        end
      end
-      it 'can read_shared_with_group' do
+      context 'when the user is a project admin' do
-        expect(policy).to be_allowed(:read_shared_with_group)
+        before_all do
+          project.add_maintainer(user)
+        end
+        it 'can read_shared_with_group' do
+          expect(policy).to be_allowed(:read_shared_with_group)
+        end
      end
    end