diff --git a/app/finders/projects/members/effective_access_level_finder.rb b/app/finders/projects/members/effective_access_level_finder.rb
index c1e3842a9e4fa6cfd3f14df6642609fdde0cb59b..d238679f2fbff4f23961b945b64a6b674e1c4fd7 100644
--- a/app/finders/projects/members/effective_access_level_finder.rb
+++ b/app/finders/projects/members/effective_access_level_finder.rb
@@ -99,7 +99,7 @@ def project_owner_acting_as_maintainer
end
def include_membership_from_project_group_shares?
- project.allowed_to_share_with_group? && project.project_group_links.any?
+ !project.namespace.share_with_group_lock && project.project_group_links.any?
end
# methods for `select` options
diff --git a/spec/finders/projects/members/effective_access_level_finder_spec.rb b/spec/finders/projects/members/effective_access_level_finder_spec.rb
index 1112dbd0d6ebda6e7c5fae015d674c57a6c69c1b..33fbb5aca3045f5403953e7c3dd2b03111233ebf 100644
--- a/spec/finders/projects/members/effective_access_level_finder_spec.rb
+++ b/spec/finders/projects/members/effective_access_level_finder_spec.rb
@@ -194,6 +194,7 @@
context 'for a project that is shared with other group(s)' do
let_it_be(:shared_with_group) { create(:group) }
let_it_be(:user_from_shared_with_group) { create(:user) }
+ let_it_be(:project) { create(:project, group: create(:group)) }
before do
create(:project_group_link, :developer, project: project, group: shared_with_group)
@@ -211,9 +212,24 @@
)
end
- context 'when the group containing the project has forbidden group shares for any of its projects' do
- let_it_be(:project) { create(:project, group: create(:group)) }
+ context 'even when the `lock_memberships_to_ldap` setting has been turned ON' do
+ before do
+ stub_application_setting(lock_memberships_to_ldap: true)
+ end
+ it 'includes the least among the specified access levels' do
+ expect(subject).to(
+ include(
+ hash_including(
+ 'user_id' => user_from_shared_with_group.id,
+ 'access_level' => Gitlab::Access::DEVELOPER
+ )
+ )
+ )
+ end
+ end
+
+ context 'when the group containing the project has forbidden group shares for any of its projects' do
before do
project.namespace.update!(share_with_group_lock: true)
end
diff --git a/spec/lib/gitlab/project_authorizations_spec.rb b/spec/lib/gitlab/project_authorizations_spec.rb
index d2b41ee31d9b4144e0f9b54abd57d5ae1841c09b..1606693419487b65c844acac7306af2f02706495 100644
--- a/spec/lib/gitlab/project_authorizations_spec.rb
+++ b/spec/lib/gitlab/project_authorizations_spec.rb
@@ -204,6 +204,43 @@ def map_access_levels(rows)
end
end
+ context 'with shared projects' do
+ let_it_be(:shared_with_group) { create(:group) }
+ let_it_be(:user) { create(:user) }
+ let_it_be(:project) { create(:project, group: create(:group)) }
+
+ let(:mapping) { map_access_levels(authorizations) }
+
+ before do
+ create(:project_group_link, :developer, project: project, group: shared_with_group)
+ shared_with_group.add_maintainer(user)
+ end
+
+ it 'creates proper authorizations' do
+ expect(mapping[project.id]).to eq(Gitlab::Access::DEVELOPER)
+ end
+
+ context 'even when the `lock_memberships_to_ldap` setting has been turned ON' do
+ before do
+ stub_application_setting(lock_memberships_to_ldap: true)
+ end
+
+ it 'creates proper authorizations' do
+ expect(mapping[project.id]).to eq(Gitlab::Access::DEVELOPER)
+ end
+ end
+
+ context 'when the group containing the project has forbidden group shares for any of its projects' do
+ before do
+ project.namespace.update!(share_with_group_lock: true)
+ end
+
+ it 'does not create authorizations' do
+ expect(mapping[project.id]).to be_nil
+ end
+ end
+ end
+
context 'with shared groups' do
let(:parent_group_user) { create(:user) }
let(:group_user) { create(:user) }