2018-11-18 11:00:15 +05:30
# frozen_string_literal: true
2014-09-02 18:07:02 +05:30
require 'carrierwave/orm/activerecord'
class Group < Namespace
2015-09-11 14:41:01 +05:30
include Gitlab :: ConfigHelper
2018-03-17 18:26:18 +05:30
include AfterCommitQueue
2016-06-16 23:09:34 +05:30
include AccessRequestable
2017-09-10 17:25:29 +05:30
include Avatarable
2015-09-11 14:41:01 +05:30
include Referable
2017-08-17 22:00:37 +05:30
include SelectForProjectAuthorization
2018-03-17 18:26:18 +05:30
include LoadedInGroupList
include GroupDescendant
2018-10-15 14:42:47 +05:30
include TokenAuthenticatable
2018-11-08 19:23:39 +05:30
include WithUploads
include Gitlab :: Utils :: StrongMemoize
2019-12-21 20:55:43 +05:30
include GroupAPICompatibility
2021-01-03 14:25:43 +05:30
include EachBatch
2021-09-04 01:27:46 +05:30
include BulkMemberAccessLoad
2022-06-21 17:19:12 +05:30
include BulkUsersByEmailLoad
2022-03-02 08:16:31 +05:30
include ChronicDurationAttribute
include RunnerTokenExpirationInterval
2019-12-04 20:38:33 +05:30
2022-02-27 12:50:16 +05:30
extend :: Gitlab :: Utils :: Override
2021-11-11 11:23:49 +05:30
def self . sti_name
'Group'
end
2020-11-24 15:15:51 +05:30
has_many :all_group_members , - > { where ( requested_at : nil ) } , dependent : :destroy , as : :source , class_name : 'GroupMember' # rubocop:disable Cop/ActiveRecordDependent
has_many :group_members , - > { where ( requested_at : nil ) . where . not ( members : { access_level : Gitlab :: Access :: MINIMAL_ACCESS } ) } , dependent : :destroy , as : :source # rubocop:disable Cop/ActiveRecordDependent
2015-11-26 14:37:03 +05:30
alias_method :members , :group_members
2020-11-24 15:15:51 +05:30
2016-08-24 12:49:21 +05:30
has_many :users , through : :group_members
2016-06-22 15:30:34 +05:30
has_many :owners ,
- > { where ( members : { access_level : Gitlab :: Access :: OWNER } ) } ,
through : :group_members ,
source : :user
2017-09-10 17:25:29 +05:30
has_many :requesters , - > { where . not ( requested_at : nil ) } , dependent : :destroy , as : :source , class_name : 'GroupMember' # rubocop:disable Cop/ActiveRecordDependent
2018-03-17 18:26:18 +05:30
has_many :members_and_requesters , as : :source , class_name : 'GroupMember'
2016-08-24 12:49:21 +05:30
2017-09-10 17:25:29 +05:30
has_many :milestones
2021-06-08 01:23:25 +05:30
has_many :integrations
2019-12-26 22:10:19 +05:30
has_many :shared_group_links , foreign_key : :shared_with_group_id , class_name : 'GroupGroupLink'
2022-06-21 17:19:12 +05:30
has_many :shared_with_group_links , foreign_key : :shared_group_id , class_name : 'GroupGroupLink' do
def of_ancestors
group = proxy_association . owner
return GroupGroupLink . none unless group . has_parent?
GroupGroupLink . where ( shared_group_id : group . ancestors . reorder ( nil ) . select ( :id ) )
end
def of_ancestors_and_self
group = proxy_association . owner
source_ids =
if group . has_parent?
group . self_and_ancestors . reorder ( nil ) . select ( :id )
else
group . id
end
GroupGroupLink . where ( shared_group_id : source_ids )
end
end
2019-12-26 22:10:19 +05:30
has_many :shared_groups , through : :shared_group_links , source : :shared_group
has_many :shared_with_groups , through : :shared_with_group_links , source : :shared_with_group
2017-09-10 17:25:29 +05:30
has_many :project_group_links , dependent : :destroy # rubocop:disable Cop/ActiveRecordDependent
2016-06-02 11:05:42 +05:30
has_many :shared_projects , through : :project_group_links , source : :project
2018-11-08 19:23:39 +05:30
# Overridden on another method
# Left here just to be dependent: :destroy
2017-09-10 17:25:29 +05:30
has_many :notification_settings , dependent : :destroy , as : :source # rubocop:disable Cop/ActiveRecordDependent
2018-11-08 19:23:39 +05:30
2016-11-03 12:29:30 +05:30
has_many :labels , class_name : 'GroupLabel'
2017-09-10 17:25:29 +05:30
has_many :variables , class_name : 'Ci::GroupVariable'
2021-03-11 19:13:27 +05:30
has_many :daily_build_group_report_results , class_name : 'Ci::DailyBuildGroupReportResult'
2018-03-17 18:26:18 +05:30
has_many :custom_attributes , class_name : 'GroupCustomAttribute'
2014-09-02 18:07:02 +05:30
2018-03-27 19:54:05 +05:30
has_many :boards
has_many :badges , class_name : 'GroupBadge'
2022-06-21 17:19:12 +05:30
# AR defaults to nullify when trying to delete via has_many associations unless we set dependent: :delete_all
has_many :organizations , class_name : 'CustomerRelations::Organization' , inverse_of : :group , dependent : :delete_all # rubocop:disable Cop/ActiveRecordDependent
has_many :contacts , class_name : 'CustomerRelations::Contact' , inverse_of : :group , dependent : :delete_all # rubocop:disable Cop/ActiveRecordDependent
2021-12-11 22:18:48 +05:30
2018-12-13 13:39:08 +05:30
has_many :cluster_groups , class_name : 'Clusters::Group'
has_many :clusters , through : :cluster_groups , class_name : 'Clusters::Cluster'
2019-10-12 21:52:04 +05:30
has_many :container_repositories , through : :projects
2018-11-18 11:00:15 +05:30
has_many :todos
2019-12-26 22:10:19 +05:30
has_one :import_export_upload
2020-03-13 15:44:24 +05:30
has_many :import_failures , inverse_of : :group
2020-05-24 23:13:21 +05:30
has_one :import_state , class_name : 'GroupImportState' , inverse_of : :group
2021-06-08 01:23:25 +05:30
has_many :bulk_import_exports , class_name : 'BulkImports::Export' , inverse_of : :group
2020-10-24 23:57:45 +05:30
has_many :group_deploy_keys_groups , inverse_of : :group
has_many :group_deploy_keys , through : :group_deploy_keys_groups
2020-04-08 14:13:33 +05:30
has_many :group_deploy_tokens
has_many :deploy_tokens , through : :group_deploy_tokens
2021-04-29 21:17:54 +05:30
has_many :oauth_applications , class_name : 'Doorkeeper::Application' , as : :owner , dependent : :destroy # rubocop:disable Cop/ActiveRecordDependent
2020-04-08 14:13:33 +05:30
2021-01-29 00:20:46 +05:30
has_one :dependency_proxy_setting , class_name : 'DependencyProxy::GroupSetting'
2021-11-11 11:23:49 +05:30
has_one :dependency_proxy_image_ttl_policy , class_name : 'DependencyProxy::ImageTtlGroupPolicy'
2021-01-29 00:20:46 +05:30
has_many :dependency_proxy_blobs , class_name : 'DependencyProxy::Blob'
2021-02-22 17:27:13 +05:30
has_many :dependency_proxy_manifests , class_name : 'DependencyProxy::Manifest'
2021-01-29 00:20:46 +05:30
2022-08-13 15:12:31 +05:30
has_one :harbor_integration , class_name : 'Integrations::Harbor'
2021-03-11 19:13:27 +05:30
# debian_distributions and associated component_files must be destroyed by ruby code in order to properly remove carrierwave uploads
2021-03-08 18:12:59 +05:30
has_many :debian_distributions , class_name : 'Packages::Debian::GroupDistribution' , dependent : :destroy # rubocop:disable Cop/ActiveRecordDependent
2021-11-11 11:23:49 +05:30
has_many :group_callouts , class_name : 'Users::GroupCallout' , foreign_key : :group_id
2023-01-13 00:05:48 +05:30
has_many :protected_branches , inverse_of : :group
2022-06-21 17:19:12 +05:30
has_one :group_feature , inverse_of : :group , class_name : 'Groups::FeatureSetting'
2021-11-11 11:23:49 +05:30
delegate :prevent_sharing_groups_outside_hierarchy , :new_user_signups_cap , :setup_for_company , :jobs_to_be_done , to : :namespace_settings
2022-03-02 08:16:31 +05:30
delegate :runner_token_expiration_interval , :runner_token_expiration_interval = , :runner_token_expiration_interval_human_readable , :runner_token_expiration_interval_human_readable = , to : :namespace_settings , allow_nil : true
delegate :subgroup_runner_token_expiration_interval , :subgroup_runner_token_expiration_interval = , :subgroup_runner_token_expiration_interval_human_readable , :subgroup_runner_token_expiration_interval_human_readable = , to : :namespace_settings , allow_nil : true
delegate :project_runner_token_expiration_interval , :project_runner_token_expiration_interval = , :project_runner_token_expiration_interval_human_readable , :project_runner_token_expiration_interval_human_readable = , to : :namespace_settings , allow_nil : true
has_one :crm_settings , class_name : 'Group::CrmSettings' , inverse_of : :group
2021-09-04 01:27:46 +05:30
2018-03-17 18:26:18 +05:30
accepts_nested_attributes_for :variables , allow_destroy : true
2022-06-21 17:19:12 +05:30
accepts_nested_attributes_for :group_feature , update_only : true
2014-09-02 18:07:02 +05:30
2018-03-17 18:26:18 +05:30
validate :visibility_level_allowed_by_projects
validate :visibility_level_allowed_by_sub_groups
validate :visibility_level_allowed_by_parent
2021-01-03 14:25:43 +05:30
validate :two_factor_authentication_allowed
2021-04-29 21:17:54 +05:30
validates :variables , nested_attributes_duplicates : { scope : :environment_scope }
2017-08-17 22:00:37 +05:30
2018-03-17 18:26:18 +05:30
validates :two_factor_grace_period , presence : true , numericality : { greater_than_or_equal_to : 0 }
2020-07-02 01:45:43 +05:30
2020-03-28 13:19:24 +05:30
validates :name ,
2020-07-02 01:45:43 +05:30
html_safety : true ,
format : { with : Gitlab :: Regex . group_name_regex ,
message : Gitlab :: Regex . group_name_regex_message } ,
if : :name_changed?
2015-04-26 12:48:37 +05:30
2022-06-21 17:19:12 +05:30
validates :group_feature , presence : true
2022-02-27 12:50:16 +05:30
add_authentication_token_field :runners_token ,
2022-07-16 23:28:13 +05:30
encrypted : - > { Feature . enabled? ( :groups_tokens_optional_encryption ) ? :optional : :required } ,
2022-08-27 11:52:29 +05:30
prefix : RunnersTokenPrefixable :: RUNNERS_TOKEN_PREFIX
2018-10-15 14:42:47 +05:30
2015-04-26 12:48:37 +05:30
after_create :post_create_hook
after_destroy :post_destroy_hook
2022-10-11 01:57:18 +05:30
after_commit :update_two_factor_requirement
2019-07-31 22:56:46 +05:30
after_update :path_changed_hook , if : :saved_change_to_path?
2022-06-21 17:19:12 +05:30
after_create - > { create_or_load_association ( :group_feature ) }
2015-04-26 12:48:37 +05:30
2019-09-30 21:07:59 +05:30
scope :with_users , - > { includes ( :users ) }
2021-06-08 01:23:25 +05:30
scope :with_onboarding_progress , - > { joins ( :onboarding_progress ) }
2020-07-28 23:09:34 +05:30
scope :by_id , - > ( groups ) { where ( id : groups ) }
2022-03-02 08:16:31 +05:30
scope :by_ids_or_paths , - > ( ids , paths ) { by_id ( ids ) . or ( where ( path : paths ) ) }
2021-01-29 00:20:46 +05:30
scope :for_authorized_group_members , - > ( user_ids ) do
joins ( :group_members )
2021-06-08 01:23:25 +05:30
. where ( members : { user_id : user_ids } )
2021-01-29 00:20:46 +05:30
. where ( " access_level >= ? " , Gitlab :: Access :: GUEST )
end
scope :for_authorized_project_members , - > ( user_ids ) do
joins ( projects : :project_authorizations )
2021-06-08 01:23:25 +05:30
. where ( project_authorizations : { user_id : user_ids } )
2021-01-29 00:20:46 +05:30
end
2022-08-27 11:52:29 +05:30
scope :project_creation_allowed , - > do
permitted_levels = [
:: Gitlab :: Access :: DEVELOPER_MAINTAINER_PROJECT_ACCESS ,
:: Gitlab :: Access :: MAINTAINER_PROJECT_ACCESS ,
nil
]
where ( project_creation_level : permitted_levels )
end
2022-10-11 01:57:18 +05:30
scope :shared_into_ancestors , - > ( group ) do
joins ( :shared_group_links )
. where ( group_group_links : { shared_group_id : group . self_and_ancestors } )
end
# WARNING: This method should never be used on its own
# please do make sure the number of rows you are filtering is small
# enough for this query
#
# It's a replacement for `public_or_visible_to_user` that correctly
# supports subgroup permissions
scope :accessible_to_user , - > ( user ) do
if user
Preloaders :: GroupPolicyPreloader . new ( self , user ) . execute
select { | group | user . can? ( :read_group , group ) }
else
public_to_user
end
end
2015-04-26 12:48:37 +05:30
class << self
2018-05-09 12:01:36 +05:30
def sort_by_attribute ( method )
2017-08-17 22:00:37 +05:30
if method == 'storage_size_desc'
# storage_size is a virtual column so we need to
# pass a string to avoid AR adding the table name
reorder ( 'storage_size DESC, namespaces.id DESC' )
else
order_by ( method )
end
2015-04-26 12:48:37 +05:30
end
2015-09-11 14:41:01 +05:30
def reference_prefix
User . reference_prefix
end
def reference_pattern
User . reference_pattern
end
2015-11-26 14:37:03 +05:30
2018-11-08 19:23:39 +05:30
# WARNING: This method should never be used on its own
# please do make sure the number of rows you are filtering is small
# enough for this query
def public_or_visible_to_user ( user )
return public_to_user unless user
public_for_user = public_to_user_arel ( user )
visible_for_user = visible_to_user_arel ( user )
public_or_visible = public_for_user . or ( visible_for_user )
where ( public_or_visible )
2015-11-26 14:37:03 +05:30
end
2017-08-17 22:00:37 +05:30
def select_for_project_authorization
if current_scope . joins_values . include? ( :shared_projects )
joins ( 'INNER JOIN namespaces project_namespace ON project_namespace.id = projects.namespace_id' )
2021-06-08 01:23:25 +05:30
. where ( project_namespace : { share_with_group_lock : false } )
2021-10-27 15:23:28 +05:30
. select ( " projects.id AS project_id " , " LEAST(project_group_links.group_access, members.access_level) AS access_level " )
2017-08-17 22:00:37 +05:30
else
super
end
end
2018-11-08 19:23:39 +05:30
2021-01-03 14:25:43 +05:30
def without_integration ( integration )
2021-06-08 01:23:25 +05:30
integrations = Integration
2021-01-03 14:25:43 +05:30
. select ( '1' )
2021-09-30 23:02:18 +05:30
. where ( " #{ Integration . table_name } .group_id = namespaces.id " )
2021-01-03 14:25:43 +05:30
. where ( type : integration . type )
2021-06-08 01:23:25 +05:30
where ( 'NOT EXISTS (?)' , integrations )
2021-01-03 14:25:43 +05:30
end
2021-03-11 19:13:27 +05:30
# This method can be used only if all groups have the same top-level
# group
def preset_root_ancestor_for ( groups )
return groups if groups . size < 2
root = groups . first . root_ancestor
groups . drop ( 1 ) . each { | group | group . root_ancestor = root }
end
2021-04-29 21:17:54 +05:30
# Returns the ids of the passed group models where the `emails_disabled`
# column is set to true anywhere in the ancestor hierarchy.
def ids_with_disabled_email ( groups )
2021-11-18 22:05:49 +05:30
inner_groups = Group . where ( 'id = namespaces_with_emails_disabled.id' )
2021-12-11 22:18:48 +05:30
inner_query = inner_groups
. self_and_ancestors
2021-04-29 21:17:54 +05:30
. where ( emails_disabled : true )
. select ( '1' )
. limit ( 1 )
group_ids = Namespace
. from ( '(SELECT * FROM namespaces) as namespaces_with_emails_disabled' )
. where ( namespaces_with_emails_disabled : { id : groups } )
2021-11-18 22:05:49 +05:30
. where ( 'EXISTS (?)' , inner_query )
2021-04-29 21:17:54 +05:30
. pluck ( :id )
Set . new ( group_ids )
end
2022-03-02 08:16:31 +05:30
def get_ids_by_ids_or_paths ( ids , paths )
by_ids_or_paths ( ids , paths ) . pluck ( :id )
end
2018-11-08 19:23:39 +05:30
private
def public_to_user_arel ( user )
self . arel_table [ :visibility_level ]
. in ( Gitlab :: VisibilityLevel . levels_for_user ( user ) )
end
def visible_to_user_arel ( user )
groups_table = self . arel_table
2019-12-26 22:10:19 +05:30
authorized_groups = user . authorized_groups . arel . as ( 'authorized' )
2018-11-08 19:23:39 +05:30
groups_table . project ( 1 )
. from ( authorized_groups )
. where ( authorized_groups [ :id ] . eq ( groups_table [ :id ] ) )
. exists
end
end
# Overrides notification_settings has_many association
# This allows to apply notification settings from parent groups
# to child groups and projects.
2019-09-04 21:01:54 +05:30
def notification_settings ( hierarchy_order : nil )
2018-11-08 19:23:39 +05:30
source_type = self . class . base_class . name
2019-09-04 21:01:54 +05:30
settings = NotificationSetting . where ( source_type : source_type , source_id : self_and_ancestors_ids )
2018-11-08 19:23:39 +05:30
2019-09-04 21:01:54 +05:30
return settings unless hierarchy_order && self_and_ancestors_ids . length > 1
settings
. joins ( " LEFT JOIN ( #{ self_and_ancestors ( hierarchy_order : hierarchy_order ) . to_sql } ) AS ordered_groups ON notification_settings.source_id = ordered_groups.id " )
. select ( 'notification_settings.*, ordered_groups.depth AS depth' )
. order ( " ordered_groups.depth #{ hierarchy_order } " )
end
def notification_settings_for ( user , hierarchy_order : nil )
notification_settings ( hierarchy_order : hierarchy_order ) . where ( user : user )
2015-09-11 14:41:01 +05:30
end
2020-10-24 23:57:45 +05:30
def packages_feature_enabled?
:: Gitlab . config . packages . enabled
end
2021-01-29 00:20:46 +05:30
def dependency_proxy_feature_available?
:: Gitlab . config . dependency_proxy . enabled
end
2019-10-12 21:52:04 +05:30
def notification_email_for ( user )
# Finds the closest notification_setting with a `notification_email`
notification_settings = notification_settings_for ( user , hierarchy_order : :asc )
notification_settings . find { | n | n . notification_email . present? } & . notification_email
end
2020-05-24 23:13:21 +05:30
def to_reference ( _from = nil , target_project : nil , full : nil )
2017-08-17 22:00:37 +05:30
" #{ self . class . reference_prefix } #{ full_path } "
2015-04-26 12:48:37 +05:30
end
2014-09-02 18:07:02 +05:30
2020-04-22 19:07:51 +05:30
def web_url ( only_path : nil )
Gitlab :: UrlBuilder . build ( self , only_path : only_path )
2016-06-16 23:09:34 +05:30
end
2021-11-11 11:23:49 +05:30
def dependency_proxy_image_prefix
# The namespace path can include uppercase letters, which
# Docker doesn't allow. The proxy expects it to be downcased.
url = " #{ Gitlab :: Routing . url_helpers . group_url ( self ) . downcase } #{ DependencyProxy :: URL_SUFFIX } "
# Docker images do not include the protocol
url . partition ( '//' ) . last
end
2014-09-02 18:07:02 +05:30
def human_name
2017-08-17 22:00:37 +05:30
full_name
2014-09-02 18:07:02 +05:30
end
2018-03-17 18:26:18 +05:30
def visibility_level_allowed_by_parent? ( level = self . visibility_level )
return true unless parent_id && parent_id . nonzero?
2016-06-02 11:05:42 +05:30
2018-03-17 18:26:18 +05:30
level < = parent . visibility_level
end
def visibility_level_allowed_by_projects? ( level = self . visibility_level )
! projects . where ( 'visibility_level > ?' , level ) . exists?
end
2016-06-02 11:05:42 +05:30
2018-03-17 18:26:18 +05:30
def visibility_level_allowed_by_sub_groups? ( level = self . visibility_level )
! children . where ( 'visibility_level > ?' , level ) . exists?
2016-06-02 11:05:42 +05:30
end
2018-03-17 18:26:18 +05:30
def visibility_level_allowed? ( level = self . visibility_level )
visibility_level_allowed_by_parent? ( level ) &&
visibility_level_allowed_by_projects? ( level ) &&
visibility_level_allowed_by_sub_groups? ( level )
2015-09-11 14:41:01 +05:30
end
2016-09-29 09:46:39 +05:30
def lfs_enabled?
return false unless Gitlab . config . lfs . enabled
return Gitlab . config . lfs . enabled if self [ :lfs_enabled ] . nil?
self [ :lfs_enabled ]
end
2018-10-15 14:42:47 +05:30
def owned_by? ( user )
owners . include? ( user )
end
2022-08-13 15:12:31 +05:30
def add_members ( users , access_level , current_user : nil , expires_at : nil , tasks_to_be_done : [ ] , tasks_project_id : nil )
Members :: Groups :: CreatorService . add_members ( # rubocop:disable CodeReuse/ServiceClass
2016-11-03 12:29:30 +05:30
self ,
users ,
access_level ,
current_user : current_user ,
2021-12-11 22:18:48 +05:30
expires_at : expires_at ,
tasks_to_be_done : tasks_to_be_done ,
tasks_project_id : tasks_project_id
2016-11-03 12:29:30 +05:30
)
2014-09-02 18:07:02 +05:30
end
2022-08-13 15:12:31 +05:30
def add_member ( user , access_level , current_user : nil , expires_at : nil , ldap : false , blocking_refresh : true )
Members :: Groups :: CreatorService . add_member ( # rubocop:disable CodeReuse/ServiceClass
2022-06-21 17:19:12 +05:30
self ,
user ,
access_level ,
current_user : current_user ,
expires_at : expires_at ,
ldap : ldap ,
blocking_refresh : blocking_refresh
2022-07-23 23:45:48 +05:30
)
2014-09-02 18:07:02 +05:30
end
2015-09-11 14:41:01 +05:30
def add_guest ( user , current_user = nil )
2022-08-13 15:12:31 +05:30
add_member ( user , :guest , current_user : current_user )
2015-09-11 14:41:01 +05:30
end
def add_reporter ( user , current_user = nil )
2022-08-13 15:12:31 +05:30
add_member ( user , :reporter , current_user : current_user )
2015-09-11 14:41:01 +05:30
end
def add_developer ( user , current_user = nil )
2022-08-13 15:12:31 +05:30
add_member ( user , :developer , current_user : current_user )
2015-09-11 14:41:01 +05:30
end
2018-11-18 11:00:15 +05:30
def add_maintainer ( user , current_user = nil )
2022-08-13 15:12:31 +05:30
add_member ( user , :maintainer , current_user : current_user )
2015-09-11 14:41:01 +05:30
end
2015-04-26 12:48:37 +05:30
def add_owner ( user , current_user = nil )
2022-08-13 15:12:31 +05:30
add_member ( user , :owner , current_user : current_user )
2014-09-02 18:07:02 +05:30
end
2018-03-17 18:26:18 +05:30
def member? ( user , min_access_level = Gitlab :: Access :: GUEST )
return false unless user
max_member_access_for_user ( user ) > = min_access_level
end
2014-09-02 18:07:02 +05:30
def has_owner? ( user )
2017-09-10 17:25:29 +05:30
return false unless user
2019-07-07 11:18:12 +05:30
members_with_parents . owners . exists? ( user_id : user )
2014-09-02 18:07:02 +05:30
end
2021-04-29 21:17:54 +05:30
def blocked_owners
members . blocked . where ( access_level : Gitlab :: Access :: OWNER )
end
2018-11-18 11:00:15 +05:30
def has_maintainer? ( user )
2017-09-10 17:25:29 +05:30
return false unless user
2019-07-07 11:18:12 +05:30
members_with_parents . maintainers . exists? ( user_id : user )
2014-09-02 18:07:02 +05:30
end
2019-12-26 22:10:19 +05:30
def has_container_repository_including_subgroups?
:: ContainerRepository . for_group_and_its_subgroups ( self ) . exists?
2019-12-21 20:55:43 +05:30
end
2017-08-17 22:00:37 +05:30
# Check if user is a last owner of the group.
2023-01-13 00:05:48 +05:30
# Excludes non-direct owners for top-level group
2022-07-23 23:45:48 +05:30
# Excludes project_bots
2014-09-02 18:07:02 +05:30
def last_owner? ( user )
2023-01-13 00:05:48 +05:30
has_owner? ( user ) && member_owners_excluding_project_bots . size == 1
2021-04-29 21:17:54 +05:30
end
def member_last_owner? ( member )
return member . last_owner unless member . last_owner . nil?
last_owner? ( member . user )
end
2023-01-13 00:05:48 +05:30
# Excludes non-direct owners for top-level group
# Excludes project_bots
def member_owners_excluding_project_bots
if root?
members
else
members_with_parents
end . owners . merge ( User . without_project_bot )
2014-09-02 18:07:02 +05:30
end
2021-04-29 21:17:54 +05:30
def single_blocked_owner?
blocked_owners . size == 1
end
def member_last_blocked_owner? ( member )
return member . last_blocked_owner unless member . last_blocked_owner . nil?
2023-01-13 00:05:48 +05:30
return false if member_owners_excluding_project_bots . any?
2021-04-17 20:07:23 +05:30
2021-04-29 21:17:54 +05:30
single_blocked_owner? && blocked_owners . exists? ( user_id : member . user )
2021-04-17 20:07:23 +05:30
end
2018-11-08 19:23:39 +05:30
def ldap_synced?
false
end
2015-04-26 12:48:37 +05:30
def post_create_hook
2015-09-11 14:41:01 +05:30
Gitlab :: AppLogger . info ( " Group \" #{ name } \" was created " )
2015-04-26 12:48:37 +05:30
system_hook_service . execute_hooks_for ( self , :create )
end
2014-09-02 18:07:02 +05:30
2015-04-26 12:48:37 +05:30
def post_destroy_hook
2015-09-11 14:41:01 +05:30
Gitlab :: AppLogger . info ( " Group \" #{ name } \" was removed " )
2015-04-26 12:48:37 +05:30
system_hook_service . execute_hooks_for ( self , :destroy )
end
2018-12-05 23:21:45 +05:30
# rubocop: disable CodeReuse/ServiceClass
2015-04-26 12:48:37 +05:30
def system_hook_service
SystemHooksService . new
2014-09-02 18:07:02 +05:30
end
2018-12-05 23:21:45 +05:30
# rubocop: enable CodeReuse/ServiceClass
2017-08-17 22:00:37 +05:30
2018-12-05 23:21:45 +05:30
# rubocop: disable CodeReuse/ServiceClass
2021-04-17 20:07:23 +05:30
def refresh_members_authorized_projects (
blocking : true ,
priority : UserProjectAccessChangedService :: HIGH_PRIORITY ,
direct_members_only : false
)
user_ids = if direct_members_only
users_ids_of_direct_members
else
user_ids_for_project_authorizations
end
2020-05-24 23:13:21 +05:30
UserProjectAccessChangedService
2021-04-17 20:07:23 +05:30
. new ( user_ids )
2020-05-24 23:13:21 +05:30
. execute ( blocking : blocking , priority : priority )
2017-08-17 22:00:37 +05:30
end
2018-12-05 23:21:45 +05:30
# rubocop: enable CodeReuse/ServiceClass
2017-08-17 22:00:37 +05:30
2021-04-17 20:07:23 +05:30
def users_ids_of_direct_members
direct_members . pluck ( :user_id )
end
2017-08-17 22:00:37 +05:30
def user_ids_for_project_authorizations
2021-04-17 20:07:23 +05:30
members_with_parents . pluck ( Arel . sql ( 'DISTINCT members.user_id' ) )
2017-08-17 22:00:37 +05:30
end
2018-11-08 19:23:39 +05:30
def self_and_ancestors_ids
strong_memoize ( :self_and_ancestors_ids ) do
self_and_ancestors . pluck ( :id )
end
end
2021-09-04 01:27:46 +05:30
def self_and_descendants_ids
strong_memoize ( :self_and_descendants_ids ) do
self_and_descendants . pluck ( :id )
end
end
2021-04-17 20:07:23 +05:30
def direct_members
GroupMember . active_without_invites_and_requests
. non_minimal_access
. where ( source_id : id )
end
2021-06-08 01:23:25 +05:30
def authorizable_members_with_parents
source_ids =
if has_parent?
self_and_ancestors . reorder ( nil ) . select ( :id )
else
id
end
2021-10-27 15:23:28 +05:30
group_hierarchy_members = GroupMember . where ( source_id : source_ids ) . select ( * GroupMember . cached_column_list )
2021-06-08 01:23:25 +05:30
GroupMember . from_union ( [ group_hierarchy_members ,
members_from_self_and_ancestor_group_shares ] ) . authorizable
end
2017-08-17 22:00:37 +05:30
def members_with_parents
2017-09-10 17:25:29 +05:30
# Avoids an unnecessary SELECT when the group has no parents
source_ids =
2020-06-23 00:09:42 +05:30
if has_parent?
2017-09-10 17:25:29 +05:30
self_and_ancestors . reorder ( nil ) . select ( :id )
else
id
end
2020-06-23 00:09:42 +05:30
group_hierarchy_members = GroupMember . active_without_invites_and_requests
2021-01-03 14:25:43 +05:30
. non_minimal_access
2020-06-23 00:09:42 +05:30
. where ( source_id : source_ids )
2021-10-27 15:23:28 +05:30
. select ( * GroupMember . cached_column_list )
2020-06-23 00:09:42 +05:30
GroupMember . from_union ( [ group_hierarchy_members ,
members_from_self_and_ancestor_group_shares ] )
2017-09-10 17:25:29 +05:30
end
2020-05-24 23:13:21 +05:30
def members_from_self_and_ancestors_with_effective_access_level
members_with_parents . select ( [ :user_id , 'MAX(access_level) AS access_level' ] )
. group ( :user_id )
end
2017-09-10 17:25:29 +05:30
def members_with_descendants
GroupMember
2018-04-04 21:44:52 +05:30
. active_without_invites_and_requests
2017-09-10 17:25:29 +05:30
. where ( source_id : self_and_descendants . reorder ( nil ) . select ( :id ) )
2017-08-17 22:00:37 +05:30
end
2018-10-15 14:42:47 +05:30
# Returns all members that are part of the group, it's subgroups, and ancestor groups
def direct_and_indirect_members
GroupMember
. active_without_invites_and_requests
. where ( source_id : self_and_hierarchy . reorder ( nil ) . select ( :id ) )
end
2021-02-22 17:27:13 +05:30
def direct_and_indirect_members_with_inactive
GroupMember
. non_request
. non_invite
. where ( source_id : self_and_hierarchy . reorder ( nil ) . select ( :id ) )
end
2017-08-17 22:00:37 +05:30
def users_with_parents
2017-09-10 17:25:29 +05:30
User
. where ( id : members_with_parents . select ( :user_id ) )
. reorder ( nil )
end
def users_with_descendants
User
. where ( id : members_with_descendants . select ( :user_id ) )
. reorder ( nil )
end
2018-10-15 14:42:47 +05:30
# Returns all users that are members of the group because:
# 1. They belong to the group
# 2. They belong to a project that belongs to the group
# 3. They belong to a sub-group or project in such sub-group
# 4. They belong to an ancestor group
def direct_and_indirect_users
2018-12-05 23:21:45 +05:30
User . from_union ( [
2022-10-11 01:57:18 +05:30
User
. where ( id : direct_and_indirect_members . select ( :user_id ) )
. reorder ( nil ) ,
project_users_with_descendants
] )
2018-10-15 14:42:47 +05:30
end
2021-02-22 17:27:13 +05:30
# Returns all users (also inactive) that are members of the group because:
# 1. They belong to the group
# 2. They belong to a project that belongs to the group
# 3. They belong to a sub-group or project in such sub-group
# 4. They belong to an ancestor group
def direct_and_indirect_users_with_inactive
User . from_union ( [
2022-10-11 01:57:18 +05:30
User
. where ( id : direct_and_indirect_members_with_inactive . select ( :user_id ) )
. reorder ( nil ) ,
project_users_with_descendants
] )
2021-02-22 17:27:13 +05:30
end
2020-11-24 15:15:51 +05:30
def users_count
members . count
end
2018-10-15 14:42:47 +05:30
# Returns all users that are members of projects
# belonging to the current group or sub-groups
def project_users_with_descendants
User
. joins ( projects : :group )
. where ( namespaces : { id : self_and_descendants . select ( :id ) } )
end
2020-11-24 15:15:51 +05:30
# Return the highest access level for a user
#
# A special case is handled here when the user is a GitLab admin
# which implies it has "OWNER" access everywhere, but should not
# officially appear as a member of a group unless specifically added to it
#
# @param user [User]
# @param only_concrete_membership [Bool] whether require admin concrete membership status
def max_member_access_for_user ( user , only_concrete_membership : false )
2019-09-04 21:01:54 +05:30
return GroupMember :: NO_ACCESS unless user
2021-04-17 20:07:23 +05:30
return GroupMember :: OWNER if user . can_admin_all_resources? && ! only_concrete_membership
2021-06-08 01:23:25 +05:30
2021-09-04 01:27:46 +05:30
max_member_access ( [ user . id ] ) [ user . id ]
2017-08-17 22:00:37 +05:30
end
def mattermost_team_params
max_length = 59
{
name : path [ 0 .. max_length ] ,
display_name : name [ 0 .. max_length ] ,
type : public ? ? 'O' : 'I' # Open vs Invite-only
}
end
2022-03-02 08:16:31 +05:30
def member ( user )
2018-03-17 18:26:18 +05:30
if group_members . loaded?
group_members . find { | gm | gm . user_id == user . id }
else
group_members . find_by ( user_id : user )
end
end
2019-03-02 22:35:43 +05:30
def highest_group_member ( user )
GroupMember . where ( source_id : self_and_ancestors_ids , user_id : user . id ) . order ( :access_level ) . last
end
2022-03-02 08:16:31 +05:30
def bots
users . project_bot
end
2020-03-13 15:44:24 +05:30
def related_group_ids
[ id ,
* ancestors . pluck ( :id ) ,
* shared_with_group_links . pluck ( :shared_with_group_id ) ]
end
2018-03-17 18:26:18 +05:30
def hashed_storage? ( _feature )
false
end
2018-05-09 12:01:36 +05:30
def refresh_project_authorizations
refresh_members_authorized_projects ( blocking : false )
end
2018-10-15 14:42:47 +05:30
# each existing group needs to have a `runners_token`.
# we do this on read since migrating all existing groups is not a feasible
# solution.
def runners_token
ensure_runners_token!
end
2022-02-27 12:50:16 +05:30
override :format_runners_token
def format_runners_token ( token )
2022-05-07 20:08:51 +05:30
" #{ RunnersTokenPrefixable :: RUNNERS_TOKEN_PREFIX } #{ token } "
2022-02-27 12:50:16 +05:30
end
2019-07-07 11:18:12 +05:30
def project_creation_level
super || :: Gitlab :: CurrentSettings . default_project_creation
end
2019-10-12 21:52:04 +05:30
def subgroup_creation_level
super || :: Gitlab :: Access :: OWNER_SUBGROUP_ACCESS
end
2019-12-04 20:38:33 +05:30
def access_request_approvers_to_be_notified
2021-09-04 01:27:46 +05:30
members . owners . connected_to_user . order_recent_sign_in . limit ( Member :: ACCESS_REQUEST_APPROVERS_TO_BE_NOTIFIED_LIMIT )
2019-12-04 20:38:33 +05:30
end
2021-11-11 11:23:49 +05:30
def membership_locked?
false # to support project and group calling this as 'source'
end
2019-12-21 20:55:43 +05:30
def supports_events?
false
end
2019-12-26 22:10:19 +05:30
def export_file_exists?
2021-09-04 01:27:46 +05:30
import_export_upload & . export_file_exists?
2019-12-26 22:10:19 +05:30
end
def export_file
import_export_upload & . export_file
end
2021-09-04 01:27:46 +05:30
def export_archive_exists?
import_export_upload & . export_archive_exists?
end
2020-03-13 15:44:24 +05:30
def adjourned_deletion?
false
end
2020-05-24 23:13:21 +05:30
def execute_hooks ( data , hooks_scope )
# NOOP
# TODO: group hooks https://gitlab.com/gitlab-org/gitlab/-/issues/216904
end
2021-09-30 23:02:18 +05:30
def execute_integrations ( data , hooks_scope )
2020-05-24 23:13:21 +05:30
# NOOP
# TODO: group hooks https://gitlab.com/gitlab-org/gitlab/-/issues/216904
2020-04-22 19:07:51 +05:30
end
2020-06-23 00:09:42 +05:30
def preload_shared_group_links
preloader = ActiveRecord :: Associations :: Preloader . new
preloader . preload ( self , shared_with_group_links : [ shared_with_group : :route ] )
end
2021-01-03 14:25:43 +05:30
def update_shared_runners_setting! ( state )
raise ArgumentError unless SHARED_RUNNERS_SETTINGS . include? ( state )
2020-07-28 23:09:34 +05:30
2021-01-03 14:25:43 +05:30
case state
2021-11-18 22:05:49 +05:30
when SR_DISABLED_AND_UNOVERRIDABLE then disable_shared_runners! # also disallows override
when SR_DISABLED_WITH_OVERRIDE then disable_shared_runners_and_allow_override!
when SR_ENABLED then enable_shared_runners! # set both to true
2021-01-03 14:25:43 +05:30
end
2020-07-28 23:09:34 +05:30
end
2022-03-02 08:16:31 +05:30
def first_owner
owners . first || parent & . first_owner || owner
2020-07-28 23:09:34 +05:30
end
2021-01-03 14:25:43 +05:30
def default_branch_name
namespace_settings & . default_branch_name
2020-07-28 23:09:34 +05:30
end
2021-01-03 14:25:43 +05:30
def access_level_roles
GroupMember . access_level_roles
2020-07-28 23:09:34 +05:30
end
2021-01-03 14:25:43 +05:30
def access_level_values
access_level_roles . values
2020-07-28 23:09:34 +05:30
end
2021-01-03 14:25:43 +05:30
def parent_allows_two_factor_authentication?
return true unless has_parent?
2020-07-28 23:09:34 +05:30
2021-01-03 14:25:43 +05:30
ancestor_settings = ancestors . find_by ( parent_id : nil ) . namespace_settings
ancestor_settings . allow_mfa_for_subgroups
2020-10-24 23:57:45 +05:30
end
2021-01-29 00:20:46 +05:30
def has_project_with_service_desk_enabled?
Gitlab :: ServiceDesk . supported? && all_projects . service_desk_enabled . exists?
end
2021-06-08 01:23:25 +05:30
def activity_path
Gitlab :: Routing . url_helpers . activity_group_path ( self )
end
2021-09-04 01:27:46 +05:30
# rubocop: disable CodeReuse/ServiceClass
def open_issues_count ( current_user = nil )
Groups :: OpenIssuesCountService . new ( self , current_user ) . count
end
# rubocop: enable CodeReuse/ServiceClass
# rubocop: disable CodeReuse/ServiceClass
def open_merge_requests_count ( current_user = nil )
Groups :: MergeRequestsCountService . new ( self , current_user ) . count
end
# rubocop: enable CodeReuse/ServiceClass
2021-10-27 15:23:28 +05:30
def timelogs
Timelog . in_group ( self )
end
2021-11-11 11:23:49 +05:30
def dependency_proxy_image_ttl_policy
super || build_dependency_proxy_image_ttl_policy
end
2022-03-02 08:16:31 +05:30
def dependency_proxy_setting
super || build_dependency_proxy_setting
end
2022-06-21 17:19:12 +05:30
def group_feature
super || build_group_feature
end
2022-03-02 08:16:31 +05:30
def crm_enabled?
crm_settings & . enabled?
end
def shared_with_group_links_visible_to_user ( user )
shared_with_group_links . preload_shared_with_groups . filter { | link | Ability . allowed? ( user , :read_group , link . shared_with_group ) }
end
def enforced_runner_token_expiration_interval
all_parent_groups = Gitlab :: ObjectHierarchy . new ( Group . where ( id : id ) ) . ancestors
all_group_settings = NamespaceSetting . where ( namespace_id : all_parent_groups )
group_interval = all_group_settings . where . not ( subgroup_runner_token_expiration_interval : nil ) . minimum ( :subgroup_runner_token_expiration_interval ) & . seconds
[
Gitlab :: CurrentSettings . group_runner_token_expiration_interval & . seconds ,
group_interval
] . compact . min
end
2022-06-21 17:19:12 +05:30
def work_items_feature_flag_enabled?
feature_flag_enabled_for_self_or_ancestor? ( :work_items )
end
2022-08-27 11:52:29 +05:30
def work_items_mvc_2_feature_flag_enabled?
feature_flag_enabled_for_self_or_ancestor? ( :work_items_mvc_2 )
end
def work_items_create_from_markdown_feature_flag_enabled?
feature_flag_enabled_for_self_or_ancestor? ( :work_items_create_from_markdown )
end
2022-06-21 17:19:12 +05:30
# Check for enabled features, similar to `Project#feature_available?`
# NOTE: We still want to keep this after removing `Namespace#feature_available?`.
override :feature_available?
def feature_available? ( feature , user = nil )
if :: Groups :: FeatureSetting . available_features . include? ( feature )
group_feature . feature_available? ( feature , user ) # rubocop:disable Gitlab/FeatureAvailableUsage
else
super
end
end
2022-07-23 23:45:48 +05:30
def gitlab_deploy_token
strong_memoize ( :gitlab_deploy_token ) do
deploy_tokens . gitlab_deploy_token
end
end
2022-10-11 01:57:18 +05:30
def packages_policy_subject
2022-11-25 23:54:43 +05:30
:: Packages :: Policies :: Group . new ( self )
2022-10-11 01:57:18 +05:30
end
def update_two_factor_requirement_for_members
direct_and_indirect_members . find_each ( & :update_two_factor_requirement )
end
2018-03-17 18:26:18 +05:30
private
2017-08-17 22:00:37 +05:30
2022-06-21 17:19:12 +05:30
def feature_flag_enabled_for_self_or_ancestor? ( feature_flag )
actors = [ root_ancestor ]
actors << self if root_ancestor != self
actors . any? do | actor |
2022-07-16 23:28:13 +05:30
:: Feature . enabled? ( feature_flag , actor )
2022-06-21 17:19:12 +05:30
end
end
2021-09-04 01:27:46 +05:30
def max_member_access ( user_ids )
2022-05-07 20:08:51 +05:30
Gitlab :: SafeRequestLoader . execute ( resource_key : max_member_access_for_resource_key ( User ) ,
resource_ids : user_ids ,
default_value : Gitlab :: Access :: NO_ACCESS ) do | user_ids |
2021-09-04 01:27:46 +05:30
members_with_parents . where ( user_id : user_ids ) . group ( :user_id ) . maximum ( :access_level )
end
end
2017-08-17 22:00:37 +05:30
def update_two_factor_requirement
2019-07-31 22:56:46 +05:30
return unless saved_change_to_require_two_factor_authentication? || saved_change_to_two_factor_grace_period?
2017-08-17 22:00:37 +05:30
2022-10-11 01:57:18 +05:30
Groups :: UpdateTwoFactorRequirementForMembersWorker . perform_async ( self . id )
2017-08-17 22:00:37 +05:30
end
2018-03-17 18:26:18 +05:30
def path_changed_hook
system_hook_service . execute_hooks_for ( self , :rename )
end
def visibility_level_allowed_by_parent
return if visibility_level_allowed_by_parent?
errors . add ( :visibility_level , " #{ visibility } is not allowed since the parent group has a #{ parent . visibility } visibility. " )
end
def visibility_level_allowed_by_projects
return if visibility_level_allowed_by_projects?
errors . add ( :visibility_level , " #{ visibility } is not allowed since this group contains projects with higher visibility. " )
end
def visibility_level_allowed_by_sub_groups
return if visibility_level_allowed_by_sub_groups?
errors . add ( :visibility_level , " #{ visibility } is not allowed since there are sub-groups with higher visibility. " )
end
2019-12-21 20:55:43 +05:30
2021-01-03 14:25:43 +05:30
def two_factor_authentication_allowed
return unless has_parent?
return unless require_two_factor_authentication
return if parent_allows_two_factor_authentication?
errors . add ( :require_two_factor_authentication , _ ( 'is forbidden by a top-level group' ) )
end
2020-06-23 00:09:42 +05:30
def members_from_self_and_ancestor_group_shares
2019-12-26 22:10:19 +05:30
group_group_link_table = GroupGroupLink . arel_table
group_member_table = GroupMember . arel_table
2020-06-23 00:09:42 +05:30
source_ids =
if has_parent?
self_and_ancestors . reorder ( nil ) . select ( :id )
else
id
end
group_group_links_query = GroupGroupLink . where ( shared_group_id : source_ids )
2019-12-26 22:10:19 +05:30
cte = Gitlab :: SQL :: CTE . new ( :group_group_links_cte , group_group_links_query )
2020-03-07 23:17:34 +05:30
cte_alias = cte . table . alias ( GroupGroupLink . table_name )
2019-12-26 22:10:19 +05:30
2020-06-23 00:09:42 +05:30
# Instead of members.access_level, we need to maximize that access_level at
# the respective group_group_links.group_access.
member_columns = GroupMember . attribute_names . map do | column_name |
if column_name == 'access_level'
smallest_value_arel ( [ cte_alias [ :group_access ] , group_member_table [ :access_level ] ] ,
'access_level' )
else
group_member_table [ column_name ]
end
end
GroupMember
. with ( cte . to_arel )
. select ( * member_columns )
. from ( [ group_member_table , cte . alias_to ( group_group_link_table ) ] )
. where ( group_member_table [ :requested_at ] . eq ( nil ) )
. where ( group_member_table [ :source_id ] . eq ( group_group_link_table [ :shared_with_group_id ] ) )
. where ( group_member_table [ :source_type ] . eq ( 'Namespace' ) )
2022-05-07 20:08:51 +05:30
. where ( group_member_table [ :state ] . eq ( :: Member :: STATE_ACTIVE ) )
2020-11-24 15:15:51 +05:30
. non_minimal_access
2019-12-26 22:10:19 +05:30
end
2020-03-07 23:17:34 +05:30
def smallest_value_arel ( args , column_alias )
Arel :: Nodes :: As . new (
Arel :: Nodes :: NamedFunction . new ( 'LEAST' , args ) ,
Arel :: Nodes :: SqlLiteral . new ( column_alias ) )
end
2021-01-03 14:25:43 +05:30
def disable_shared_runners!
update! (
shared_runners_enabled : false ,
allow_descendants_override_disabled_shared_runners : false )
group_ids = descendants
unless group_ids . empty?
Group . by_id ( group_ids ) . update_all (
shared_runners_enabled : false ,
allow_descendants_override_disabled_shared_runners : false )
end
all_projects . update_all ( shared_runners_enabled : false )
end
def disable_shared_runners_and_allow_override!
# enabled -> disabled_with_override
if shared_runners_enabled?
update! (
shared_runners_enabled : false ,
allow_descendants_override_disabled_shared_runners : true )
group_ids = descendants
unless group_ids . empty?
Group . by_id ( group_ids ) . update_all ( shared_runners_enabled : false )
end
all_projects . update_all ( shared_runners_enabled : false )
# disabled_and_unoverridable -> disabled_with_override
else
update! ( allow_descendants_override_disabled_shared_runners : true )
end
end
def enable_shared_runners!
update! ( shared_runners_enabled : true )
end
2014-09-02 18:07:02 +05:30
end
2019-12-04 20:38:33 +05:30
2021-06-08 01:23:25 +05:30
Group . prepend_mod_with ( 'Group' )