Merge branch 'security-fix-cr-edit-17-1' into '17-1-stable-ee'

Prevent users with admin_group_member custom ab. to manage custom roles See merge request https://gitlab.com/gitlab-org/security/gitlab/-/merge_requests/4427 Merged-by: GitLab Release Tools Bot <delivery-team+release-tools@gitlab.com> Approved-by: charlie ablett <cablett@gitlab.com> Co-authored-by: Jarka Košanová <jarka@gitlab.com>

Merge branch 'security-fix-cr-edit-17-1' into '17-1-stable-ee'
e4bd770d · GitLab Release Tools Bot · 33bfd9e7 · 9c6ad85f · e4bd770d · e4bd770d
Commit e4bd770d authored 5 months ago by GitLab Release Tools Bot
--- a/ee/app/policies/ee/group_policy.rb
+++ b/ee/app/policies/ee/group_policy.rb
@@ -540,10 +540,6 @@ module GroupPolicy
        enable :admin_member_role
      end
  
-      rule { custom_roles_allowed & can?(:admin_group_member) }.policy do
-        enable :admin_member_role
-      end
-
      rule { custom_role_enables_admin_cicd_variables }.policy do
        enable :admin_cicd_variables
      end

--- a/ee/spec/policies/group_policy_spec.rb
+++ b/ee/spec/policies/group_policy_spec.rb
@@ -3536,7 +3536,7 @@ def create_member_role(member, abilities = member_role_abilities)
  
    context 'for a member role with admin_group_member true' do
      let(:member_role_abilities) { { admin_group_member: true } }
-      let(:allowed_abilities) { [:admin_group_member, :admin_member_role] }
+      let(:allowed_abilities) { [:admin_group_member] }
  
      it_behaves_like 'custom roles abilities'