From 57d4d7ce296385e077bec9abcbe4f1d01d4f994b Mon Sep 17 00:00:00 2001
From: Stephan Kulow <coolo@suse.de>
Date: Wed, 30 Jun 2021 08:33:48 +0200
Subject: [PATCH] Fix Relationship.forbidden_project_ids for groups

Relationships can be users or groups and admins expect involved
groups to see the hidden projects

Fixes #11302

[Backport to v2.10.11]
Signed-off-by: Ariel D'Alessandro <ariel.dalessandro@collabora.com>
---
 src/api/app/models/relationship.rb       | 13 ++++++++-----
 src/api/spec/models/relationship_spec.rb | 10 ++++++++++
 2 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/src/api/app/models/relationship.rb b/src/api/app/models/relationship.rb
index 9e7d63d2e6..1bc6fc6aa5 100644
--- a/src/api/app/models/relationship.rb
+++ b/src/api/app/models/relationship.rb
@@ -76,12 +76,15 @@ class Relationship < ApplicationRecord
     # {projecs: [p1,p2], whitelist: { u1: [p1], u2: [p1,p2], u3: [p2] } }
     forbidden_projects = Rails.cache.fetch('forbidden_projects') do
       forbidden_projects_hash = { projects: [], whitelist: {} }
-      Relationship.find_by_sql("SELECT ur.project_id, ur.user_id from flags f,
-                relationships ur where f.flag = 'access' and f.status = 'disable' and ur.project_id = f.project_id").each do |r|
+      Relationship.find_by_sql("SELECT ur.project_id,ur.user_id,gu.user_id as groups_user_id from flags f
+                join relationships ur on ur.project_id=f.project_id
+                left join groups_users gu on gu.group_id=ur.group_id
+                where f.flag = 'access' and f.status = 'disable'").each do |r|
         forbidden_projects_hash[:projects] << r.project_id
-        if r.user_id
-          forbidden_projects_hash[:whitelist][r.user_id] ||= []
-          forbidden_projects_hash[:whitelist][r.user_id] << r.project_id if r.user_id
+        user_id = r.user_id || r.groups_user_id
+        if user_id
+          forbidden_projects_hash[:whitelist][user_id] ||= []
+          forbidden_projects_hash[:whitelist][user_id] << r.project_id
         end
       end
       forbidden_projects_hash[:projects].uniq!
diff --git a/src/api/spec/models/relationship_spec.rb b/src/api/spec/models/relationship_spec.rb
index aa45f2c93c..dce1478c66 100644
--- a/src/api/spec/models/relationship_spec.rb
+++ b/src/api/spec/models/relationship_spec.rb
@@ -102,6 +102,7 @@ RSpec.describe Relationship do
   describe '.forbidden_project_ids' do
     let(:confirmed_user) { create(:confirmed_user) }
     let(:project) { create(:forbidden_project) }
+    let(:allowed_users) { create(:group_with_user, user: confirmed_user) }
 
     context 'for admins' do
       before do
@@ -131,6 +132,15 @@ RSpec.describe Relationship do
 
       it { expect(Relationship.forbidden_project_ids).not_to include(project.id) }
     end
+
+    context 'for users in whitelisted groups' do
+      before do
+        login(confirmed_user)
+        create(:relationship_project_group, project: project, group: allowed_users)
+      end
+
+      it { expect(Relationship.forbidden_project_ids).not_to include(project.id) }
+    end
   end
 
   it '.discard_cache' do
-- 
GitLab