Groups API: fix shared_with_groups to include all authorized groups
What does this MR do and why?
There is a bug in the Groups API when retrieving shared_with_groups
of a group (Details of a group), see #322145 (closed) and #328428 (closed): For security reasons, the shared_with_groups
list contains only those projects for which the calling user is authorized. That makes sense. However, a group to which the user has no direct membership but an inherited membership (parent group) is incorrectly not included in the list.
The bug is in the method User#authorized_groups
(or more precisely User#authorized_groups_without_shared_membership
), which according to its name should actually return all groups for which the user is authorized. But through inheritance, the user is also authorized for subgroups, which are incorrectly not returned.
Update: As User#authorized_groups
should not be changed (!76556 (comment 783469022)), another fix must be applied.
This MR fixes this bug and solves #322145 (closed) and #328428 (closed).
/cc @bufferoverflow
How to set up and validate locally
- Create public group
Test-Group
. - Create private group
Company
and its private sub groupCompany/Sales
. - Visit members page of group
Company
and add useruserX
as member. - Visit members page of group
Test-Group
and invite groupCompany/Sales
(shared group). - Get details of
Test-Group
group via API:- anonymous:
curl http://localhost:3000/api/v4/groups/<id of Test-Group>
➡ Response:..., "shared_with_groups":[], ...
- as admin:
curl --header "PRIVATE-TOKEN: <admin token>" http://localhost:3000/api/v4/groups/<id of Test-Group>
➡ Response:..., "shared_with_groups":[{..., "group_name":"Sales", ...}], ...
- as
userX
(before MR):curl --header "PRIVATE-TOKEN: <token of userX>" http://localhost:3000/api/v4/groups/<id of Test-Group>
➡ Response:..., "shared_with_groups":[], ...
- as
userX
(after MR):curl --header "PRIVATE-TOKEN: <token of userX>" http://localhost:3000/api/v4/groups/<id of Test-Group>
➡ Response:..., "shared_with_groups":[{..., "group_name":"Sales", ...}], ...
- anonymous:
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.