Don't treat anonymous users as owners when group has pending invites

The `members` table can have entries where `user_id: nil`, because people can invite group members by email. We never want to include those as members, because it might cause confusion with the anonymous (logged out) user.

Don't treat anonymous users as owners when group has pending invites
ccac2abe · Sean McGivern · f81ed493 · ccac2abe · ccac2abe · ccac2abe
Commit ccac2abe authored 7 years ago by Sean McGivern
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -167,10 +167,14 @@ class Group < Namespace
  end
  def has_owner?(user)
+    return false unless user
    members_with_parents.owners.where(user_id: user).any?
  end
  def has_master?(user)
+    return false unless user
    members_with_parents.masters.where(user_id: user).any?
  end
@@ -212,7 +216,7 @@ class Group < Namespace
  end
  def members_with_parents
-    GroupMember.non_request.where(source_id: ancestors.pluck(:id).push(id))
+    GroupMember.active.where(source_id: ancestors.pluck(:id).push(id)).where.not(user_id: nil)
  end
  def users_with_parents

--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -10,7 +10,8 @@ class ProjectPolicy < BasePolicy
  desc "User is a project owner"
  condition :owner do
-    @user && project.owner == @user || (project.group && project.group.has_owner?(@user))
+    (project.owner.present? && project.owner == @user) ||
+      project.group&.has_owner?(@user)
  end
  desc "Project has public builds enabled"

--- a/changelogs/unreleased/35444-error-500-viewing-notes-with-anonymous-user.yml
+++ b/changelogs/unreleased/35444-error-500-viewing-notes-with-anonymous-user.yml
+---
+title: Fix anonymous access to public projects in groups with pending invites
+merge_request:
+author:
--- a/spec/models/ability_spec.rb
+++ b/spec/models/ability_spec.rb
@@ -98,7 +98,7 @@ describe Ability, lib: true do
        user2 = build(:user, external: true)
        users = [user1, user2]
-        expect(project).to receive(:owner).twice.and_return(user1)
+        expect(project).to receive(:owner).at_least(:once).and_return(user1)
        expect(described_class.users_that_can_read_project(users, project))
          .to eq([user1])
@@ -109,7 +109,7 @@ describe Ability, lib: true do
        user2 = build(:user, external: true)
        users = [user1, user2]
-        expect(project.team).to receive(:members).twice.and_return([user1])
+        expect(project.team).to receive(:members).at_least(:once).and_return([user1])
        expect(described_class.users_that_can_read_project(users, project))
          .to eq([user1])
@@ -140,7 +140,7 @@ describe Ability, lib: true do
        user2 = build(:user, external: true)
        users = [user1, user2]
-        expect(project).to receive(:owner).twice.and_return(user1)
+        expect(project).to receive(:owner).at_least(:once).and_return(user1)
        expect(described_class.users_that_can_read_project(users, project))
          .to eq([user1])
@@ -151,7 +151,7 @@ describe Ability, lib: true do
        user2 = build(:user, external: true)
        users = [user1, user2]
-        expect(project.team).to receive(:members).twice.and_return([user1])
+        expect(project.team).to receive(:members).at_least(:once).and_return([user1])
        expect(described_class.users_that_can_read_project(users, project))
          .to eq([user1])

--- a/spec/models/group_spec.rb
+++ b/spec/models/group_spec.rb
@@ -236,6 +236,7 @@ describe Group, models: true do
  describe '#has_owner?' do
    before do
      @members = setup_group_members(group)
+      create(:group_member, :invited, :owner, group: group)
    end
    it { expect(group.has_owner?(@members[:owner])).to be_truthy }
@@ -244,11 +245,13 @@ describe Group, models: true do
    it { expect(group.has_owner?(@members[:reporter])).to be_falsey }
    it { expect(group.has_owner?(@members[:guest])).to be_falsey }
    it { expect(group.has_owner?(@members[:requester])).to be_falsey }
+    it { expect(group.has_owner?(nil)).to be_falsey }
  end
  describe '#has_master?' do
    before do
      @members = setup_group_members(group)
+      create(:group_member, :invited, :master, group: group)
    end
    it { expect(group.has_master?(@members[:owner])).to be_falsey }
@@ -257,6 +260,7 @@ describe Group, models: true do
    it { expect(group.has_master?(@members[:reporter])).to be_falsey }
    it { expect(group.has_master?(@members[:guest])).to be_falsey }
    it { expect(group.has_master?(@members[:requester])).to be_falsey }
+    it { expect(group.has_master?(nil)).to be_falsey }
  end
  describe '#lfs_enabled?' do

--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -127,6 +127,24 @@ describe ProjectPolicy, models: true do
    end
  end
+  context 'when a project has pending invites, and the current user is anonymous' do
+    let(:group) { create(:group, :public) }
+    let(:project) { create(:empty_project, :public, namespace: group) }
+    let(:user_permissions) { [:create_project, :create_issue, :create_note, :upload_file] }
+    let(:anonymous_permissions) { guest_permissions - user_permissions }
+    subject { described_class.new(nil, project) }
+    before do
+      create(:group_member, :invited, group: group)
+    end
+    it 'does not grant owner access' do
+      expect_allowed(*anonymous_permissions)
+      expect_disallowed(*user_permissions)
+    end
+  end
  context 'abilities for non-public projects' do
    let(:project) { create(:empty_project, namespace: owner.namespace) }