Prevent users with admin_group_member custom ab. to manage custom roles

Merge branch 'security-fix-cr-edit-17-1' into '17-1-stable-ee' See merge request gitlab-org/security/gitlab!4427 Changelog: security

Prevent users with admin_group_member custom ab. to manage custom roles
9c6ad85f · Jarka Kadlecova · GitLab Release Tools Bot · dd9081f3 · 9c6ad85f · 9c6ad85f
Commit 9c6ad85f authored 5 months ago by Jarka Kadlecova Committed by GitLab Release Tools Bot 5 months ago
--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -540,10 +540,6 @@ module GroupPolicy
        enable :admin_member_role
      end
  
-      rule { custom_roles_allowed & can?(:admin_group_member) }.policy do
-        enable :admin_member_role
-      end
-
      rule { custom_role_enables_admin_cicd_variables }.policy do
        enable :admin_cicd_variables
      end

--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -3536,7 +3536,7 @@ def create_member_role(member, abilities = member_role_abilities)
  
    context 'for a member role with admin_group_member true' do
      let(:member_role_abilities) { { admin_group_member: true } }
-      let(:allowed_abilities) { [:admin_group_member, :admin_member_role] }
+      let(:allowed_abilities) { [:admin_group_member] }
  
      it_behaves_like 'custom roles abilities'