Skip to content

Allow member creator service to accept access requests

Drew Blessing requested to merge dblessing_saml_group_sync_accept_request into master

What does this MR do and why?

Describe in detail what your merge request does and why.

Fixes #382612 (closed)

SAML Group Sync uses Members::CreatorService to add new group members via Group#add_members. The current_user arg is not passed from Groups::SyncService, and it defaults to nil. This means we skip authorization checks when adding a new member, but apparently not when the user had an existing access request to join the group. This change re-uses the existing skip_authorization? method, which is just !current_user.

I added a note to the diff to call out the change in behavior. I am fairly confident this is a safe and acceptable change, but I want extra eyes on it to be sure we don't open a security concern.

The issue (#382612 (closed)) contains an error and backtrace. I tested that the added specs failed with the same error and backtrace prior to making the code change.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Drew Blessing

Merge request reports

Loading