Prevent users with admin_group_member custom ab. to manage custom roles

Merge branch 'security-fix-cr-edit-17-2' into '17-2-stable-ee' See merge request gitlab-org/security/gitlab!4426 Changelog: security

Prevent users with admin_group_member custom ab. to manage custom roles
d81400b5 · Jarka Kadlecova · GitLab Release Tools Bot · af196fe5 · d81400b5 · d81400b5
Commit d81400b5 authored 5 months ago by Jarka Kadlecova Committed by GitLab Release Tools Bot 5 months ago
--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -544,10 +544,6 @@ module GroupPolicy
        enable :admin_member_role
      end
  
-      rule { custom_roles_allowed & can?(:admin_group_member) }.policy do
-        enable :admin_member_role
-      end
-
      rule { custom_role_enables_admin_cicd_variables }.policy do
        enable :admin_cicd_variables
      end

--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -3582,7 +3582,7 @@ def create_member_role(member, abilities = member_role_abilities)
  
    context 'for a member role with admin_group_member true' do
      let(:member_role_abilities) { { admin_group_member: true } }
-      let(:allowed_abilities) { [:admin_group_member, :admin_member_role] }
+      let(:allowed_abilities) { [:admin_group_member] }
  
      it_behaves_like 'custom roles abilities'