1# frozen_string_literal: true 2 3require 'carrierwave/orm/activerecord' 4 5class Group < Namespace 6 include Gitlab::ConfigHelper 7 include AfterCommitQueue 8 include AccessRequestable 9 include Avatarable 10 include Referable 11 include SelectForProjectAuthorization 12 include LoadedInGroupList 13 include GroupDescendant 14 include TokenAuthenticatable 15 include WithUploads 16 include Gitlab::Utils::StrongMemoize 17 include GroupAPICompatibility 18 include EachBatch 19 include BulkMemberAccessLoad 20 21 def self.sti_name 22 'Group' 23 end 24 25 has_many :all_group_members, -> { where(requested_at: nil) }, dependent: :destroy, as: :source, class_name: 'GroupMember' # rubocop:disable Cop/ActiveRecordDependent 26 has_many :group_members, -> { where(requested_at: nil).where.not(members: { access_level: Gitlab::Access::MINIMAL_ACCESS }) }, dependent: :destroy, as: :source # rubocop:disable Cop/ActiveRecordDependent 27 alias_method :members, :group_members 28 29 has_many :users, through: :group_members 30 has_many :owners, 31 -> { where(members: { access_level: Gitlab::Access::OWNER }) }, 32 through: :group_members, 33 source: :user 34 35 has_many :requesters, -> { where.not(requested_at: nil) }, dependent: :destroy, as: :source, class_name: 'GroupMember' # rubocop:disable Cop/ActiveRecordDependent 36 has_many :members_and_requesters, as: :source, class_name: 'GroupMember' 37 38 has_many :milestones 39 has_many :integrations 40 has_many :shared_group_links, foreign_key: :shared_with_group_id, class_name: 'GroupGroupLink' 41 has_many :shared_with_group_links, foreign_key: :shared_group_id, class_name: 'GroupGroupLink' 42 has_many :shared_groups, through: :shared_group_links, source: :shared_group 43 has_many :shared_with_groups, through: :shared_with_group_links, source: :shared_with_group 44 has_many :project_group_links, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent 45 has_many :shared_projects, through: :project_group_links, source: :project 46 47 # Overridden on another method 48 # Left here just to be dependent: :destroy 49 has_many :notification_settings, dependent: :destroy, as: :source # rubocop:disable Cop/ActiveRecordDependent 50 51 has_many :labels, class_name: 'GroupLabel' 52 has_many :variables, class_name: 'Ci::GroupVariable' 53 has_many :daily_build_group_report_results, class_name: 'Ci::DailyBuildGroupReportResult' 54 has_many :custom_attributes, class_name: 'GroupCustomAttribute' 55 56 has_many :boards 57 has_many :badges, class_name: 'GroupBadge' 58 59 has_many :organizations, class_name: 'CustomerRelations::Organization', inverse_of: :group 60 has_many :contacts, class_name: 'CustomerRelations::Contact', inverse_of: :group 61 62 has_many :cluster_groups, class_name: 'Clusters::Group' 63 has_many :clusters, through: :cluster_groups, class_name: 'Clusters::Cluster' 64 65 has_many :container_repositories, through: :projects 66 67 has_many :todos 68 69 has_one :import_export_upload 70 71 has_many :import_failures, inverse_of: :group 72 73 has_one :import_state, class_name: 'GroupImportState', inverse_of: :group 74 75 has_many :bulk_import_exports, class_name: 'BulkImports::Export', inverse_of: :group 76 77 has_many :group_deploy_keys_groups, inverse_of: :group 78 has_many :group_deploy_keys, through: :group_deploy_keys_groups 79 has_many :group_deploy_tokens 80 has_many :deploy_tokens, through: :group_deploy_tokens 81 has_many :oauth_applications, class_name: 'Doorkeeper::Application', as: :owner, dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent 82 83 has_one :dependency_proxy_setting, class_name: 'DependencyProxy::GroupSetting' 84 has_one :dependency_proxy_image_ttl_policy, class_name: 'DependencyProxy::ImageTtlGroupPolicy' 85 has_many :dependency_proxy_blobs, class_name: 'DependencyProxy::Blob' 86 has_many :dependency_proxy_manifests, class_name: 'DependencyProxy::Manifest' 87 88 # debian_distributions and associated component_files must be destroyed by ruby code in order to properly remove carrierwave uploads 89 has_many :debian_distributions, class_name: 'Packages::Debian::GroupDistribution', dependent: :destroy # rubocop:disable Cop/ActiveRecordDependent 90 91 has_many :group_callouts, class_name: 'Users::GroupCallout', foreign_key: :group_id 92 93 delegate :prevent_sharing_groups_outside_hierarchy, :new_user_signups_cap, :setup_for_company, :jobs_to_be_done, to: :namespace_settings 94 95 accepts_nested_attributes_for :variables, allow_destroy: true 96 97 validate :visibility_level_allowed_by_projects 98 validate :visibility_level_allowed_by_sub_groups 99 validate :visibility_level_allowed_by_parent 100 validate :two_factor_authentication_allowed 101 validates :variables, nested_attributes_duplicates: { scope: :environment_scope } 102 103 validates :two_factor_grace_period, presence: true, numericality: { greater_than_or_equal_to: 0 } 104 105 validates :name, 106 html_safety: true, 107 format: { with: Gitlab::Regex.group_name_regex, 108 message: Gitlab::Regex.group_name_regex_message }, 109 if: :name_changed? 110 111 add_authentication_token_field :runners_token, encrypted: -> { Feature.enabled?(:groups_tokens_optional_encryption, default_enabled: true) ? :optional : :required } 112 113 after_create :post_create_hook 114 after_destroy :post_destroy_hook 115 after_save :update_two_factor_requirement 116 after_update :path_changed_hook, if: :saved_change_to_path? 117 118 scope :with_users, -> { includes(:users) } 119 120 scope :with_onboarding_progress, -> { joins(:onboarding_progress) } 121 122 scope :by_id, ->(groups) { where(id: groups) } 123 124 scope :for_authorized_group_members, -> (user_ids) do 125 joins(:group_members) 126 .where(members: { user_id: user_ids }) 127 .where("access_level >= ?", Gitlab::Access::GUEST) 128 end 129 130 scope :for_authorized_project_members, -> (user_ids) do 131 joins(projects: :project_authorizations) 132 .where(project_authorizations: { user_id: user_ids }) 133 end 134 135 class << self 136 def sort_by_attribute(method) 137 if method == 'storage_size_desc' 138 # storage_size is a virtual column so we need to 139 # pass a string to avoid AR adding the table name 140 reorder('storage_size DESC, namespaces.id DESC') 141 else 142 order_by(method) 143 end 144 end 145 146 def reference_prefix 147 User.reference_prefix 148 end 149 150 def reference_pattern 151 User.reference_pattern 152 end 153 154 # WARNING: This method should never be used on its own 155 # please do make sure the number of rows you are filtering is small 156 # enough for this query 157 def public_or_visible_to_user(user) 158 return public_to_user unless user 159 160 public_for_user = public_to_user_arel(user) 161 visible_for_user = visible_to_user_arel(user) 162 public_or_visible = public_for_user.or(visible_for_user) 163 164 where(public_or_visible) 165 end 166 167 def select_for_project_authorization 168 if current_scope.joins_values.include?(:shared_projects) 169 joins('INNER JOIN namespaces project_namespace ON project_namespace.id = projects.namespace_id') 170 .where(project_namespace: { share_with_group_lock: false }) 171 .select("projects.id AS project_id", "LEAST(project_group_links.group_access, members.access_level) AS access_level") 172 else 173 super 174 end 175 end 176 177 def without_integration(integration) 178 integrations = Integration 179 .select('1') 180 .where("#{Integration.table_name}.group_id = namespaces.id") 181 .where(type: integration.type) 182 183 where('NOT EXISTS (?)', integrations) 184 end 185 186 # This method can be used only if all groups have the same top-level 187 # group 188 def preset_root_ancestor_for(groups) 189 return groups if groups.size < 2 190 191 root = groups.first.root_ancestor 192 groups.drop(1).each { |group| group.root_ancestor = root } 193 end 194 195 # Returns the ids of the passed group models where the `emails_disabled` 196 # column is set to true anywhere in the ancestor hierarchy. 197 def ids_with_disabled_email(groups) 198 inner_groups = Group.where('id = namespaces_with_emails_disabled.id') 199 200 inner_query = inner_groups 201 .self_and_ancestors 202 .where(emails_disabled: true) 203 .select('1') 204 .limit(1) 205 206 group_ids = Namespace 207 .from('(SELECT * FROM namespaces) as namespaces_with_emails_disabled') 208 .where(namespaces_with_emails_disabled: { id: groups }) 209 .where('EXISTS (?)', inner_query) 210 .pluck(:id) 211 212 Set.new(group_ids) 213 end 214 215 private 216 217 def public_to_user_arel(user) 218 self.arel_table[:visibility_level] 219 .in(Gitlab::VisibilityLevel.levels_for_user(user)) 220 end 221 222 def visible_to_user_arel(user) 223 groups_table = self.arel_table 224 authorized_groups = user.authorized_groups.arel.as('authorized') 225 226 groups_table.project(1) 227 .from(authorized_groups) 228 .where(authorized_groups[:id].eq(groups_table[:id])) 229 .exists 230 end 231 end 232 233 # Overrides notification_settings has_many association 234 # This allows to apply notification settings from parent groups 235 # to child groups and projects. 236 def notification_settings(hierarchy_order: nil) 237 source_type = self.class.base_class.name 238 settings = NotificationSetting.where(source_type: source_type, source_id: self_and_ancestors_ids) 239 240 return settings unless hierarchy_order && self_and_ancestors_ids.length > 1 241 242 settings 243 .joins("LEFT JOIN (#{self_and_ancestors(hierarchy_order: hierarchy_order).to_sql}) AS ordered_groups ON notification_settings.source_id = ordered_groups.id") 244 .select('notification_settings.*, ordered_groups.depth AS depth') 245 .order("ordered_groups.depth #{hierarchy_order}") 246 end 247 248 def notification_settings_for(user, hierarchy_order: nil) 249 notification_settings(hierarchy_order: hierarchy_order).where(user: user) 250 end 251 252 def packages_feature_enabled? 253 ::Gitlab.config.packages.enabled 254 end 255 256 def dependency_proxy_feature_available? 257 ::Gitlab.config.dependency_proxy.enabled 258 end 259 260 def notification_email_for(user) 261 # Finds the closest notification_setting with a `notification_email` 262 notification_settings = notification_settings_for(user, hierarchy_order: :asc) 263 notification_settings.find { |n| n.notification_email.present? }&.notification_email 264 end 265 266 def to_reference(_from = nil, target_project: nil, full: nil) 267 "#{self.class.reference_prefix}#{full_path}" 268 end 269 270 def web_url(only_path: nil) 271 Gitlab::UrlBuilder.build(self, only_path: only_path) 272 end 273 274 def dependency_proxy_image_prefix 275 # The namespace path can include uppercase letters, which 276 # Docker doesn't allow. The proxy expects it to be downcased. 277 url = "#{Gitlab::Routing.url_helpers.group_url(self).downcase}#{DependencyProxy::URL_SUFFIX}" 278 279 # Docker images do not include the protocol 280 url.partition('//').last 281 end 282 283 def human_name 284 full_name 285 end 286 287 def visibility_level_allowed_by_parent?(level = self.visibility_level) 288 return true unless parent_id && parent_id.nonzero? 289 290 level <= parent.visibility_level 291 end 292 293 def visibility_level_allowed_by_projects?(level = self.visibility_level) 294 !projects.where('visibility_level > ?', level).exists? 295 end 296 297 def visibility_level_allowed_by_sub_groups?(level = self.visibility_level) 298 !children.where('visibility_level > ?', level).exists? 299 end 300 301 def visibility_level_allowed?(level = self.visibility_level) 302 visibility_level_allowed_by_parent?(level) && 303 visibility_level_allowed_by_projects?(level) && 304 visibility_level_allowed_by_sub_groups?(level) 305 end 306 307 def lfs_enabled? 308 return false unless Gitlab.config.lfs.enabled 309 return Gitlab.config.lfs.enabled if self[:lfs_enabled].nil? 310 311 self[:lfs_enabled] 312 end 313 314 def owned_by?(user) 315 owners.include?(user) 316 end 317 318 def add_users(users, access_level, current_user: nil, expires_at: nil, tasks_to_be_done: [], tasks_project_id: nil) 319 Members::Groups::BulkCreatorService.add_users( # rubocop:disable CodeReuse/ServiceClass 320 self, 321 users, 322 access_level, 323 current_user: current_user, 324 expires_at: expires_at, 325 tasks_to_be_done: tasks_to_be_done, 326 tasks_project_id: tasks_project_id 327 ) 328 end 329 330 def add_user(user, access_level, current_user: nil, expires_at: nil, ldap: false) 331 Members::Groups::CreatorService.new(self, # rubocop:disable CodeReuse/ServiceClass 332 user, 333 access_level, 334 current_user: current_user, 335 expires_at: expires_at, 336 ldap: ldap) 337 .execute 338 end 339 340 def add_guest(user, current_user = nil) 341 add_user(user, :guest, current_user: current_user) 342 end 343 344 def add_reporter(user, current_user = nil) 345 add_user(user, :reporter, current_user: current_user) 346 end 347 348 def add_developer(user, current_user = nil) 349 add_user(user, :developer, current_user: current_user) 350 end 351 352 def add_maintainer(user, current_user = nil) 353 add_user(user, :maintainer, current_user: current_user) 354 end 355 356 def add_owner(user, current_user = nil) 357 add_user(user, :owner, current_user: current_user) 358 end 359 360 def member?(user, min_access_level = Gitlab::Access::GUEST) 361 return false unless user 362 363 max_member_access_for_user(user) >= min_access_level 364 end 365 366 def has_owner?(user) 367 return false unless user 368 369 members_with_parents.owners.exists?(user_id: user) 370 end 371 372 def blocked_owners 373 members.blocked.where(access_level: Gitlab::Access::OWNER) 374 end 375 376 def has_maintainer?(user) 377 return false unless user 378 379 members_with_parents.maintainers.exists?(user_id: user) 380 end 381 382 def has_container_repository_including_subgroups? 383 ::ContainerRepository.for_group_and_its_subgroups(self).exists? 384 end 385 386 # Check if user is a last owner of the group. 387 def last_owner?(user) 388 has_owner?(user) && single_owner? 389 end 390 391 def member_last_owner?(member) 392 return member.last_owner unless member.last_owner.nil? 393 394 last_owner?(member.user) 395 end 396 397 def single_owner? 398 members_with_parents.owners.size == 1 399 end 400 401 def single_blocked_owner? 402 blocked_owners.size == 1 403 end 404 405 def member_last_blocked_owner?(member) 406 return member.last_blocked_owner unless member.last_blocked_owner.nil? 407 408 return false if members_with_parents.owners.any? 409 410 single_blocked_owner? && blocked_owners.exists?(user_id: member.user) 411 end 412 413 def ldap_synced? 414 false 415 end 416 417 def post_create_hook 418 Gitlab::AppLogger.info("Group \"#{name}\" was created") 419 420 system_hook_service.execute_hooks_for(self, :create) 421 end 422 423 def post_destroy_hook 424 Gitlab::AppLogger.info("Group \"#{name}\" was removed") 425 426 system_hook_service.execute_hooks_for(self, :destroy) 427 end 428 429 # rubocop: disable CodeReuse/ServiceClass 430 def system_hook_service 431 SystemHooksService.new 432 end 433 # rubocop: enable CodeReuse/ServiceClass 434 435 # rubocop: disable CodeReuse/ServiceClass 436 def refresh_members_authorized_projects( 437 blocking: true, 438 priority: UserProjectAccessChangedService::HIGH_PRIORITY, 439 direct_members_only: false 440 ) 441 442 user_ids = if direct_members_only 443 users_ids_of_direct_members 444 else 445 user_ids_for_project_authorizations 446 end 447 448 UserProjectAccessChangedService 449 .new(user_ids) 450 .execute(blocking: blocking, priority: priority) 451 end 452 # rubocop: enable CodeReuse/ServiceClass 453 454 def users_ids_of_direct_members 455 direct_members.pluck(:user_id) 456 end 457 458 def user_ids_for_project_authorizations 459 members_with_parents.pluck(Arel.sql('DISTINCT members.user_id')) 460 end 461 462 def self_and_ancestors_ids 463 strong_memoize(:self_and_ancestors_ids) do 464 self_and_ancestors.pluck(:id) 465 end 466 end 467 468 def self_and_descendants_ids 469 strong_memoize(:self_and_descendants_ids) do 470 self_and_descendants.pluck(:id) 471 end 472 end 473 474 def direct_members 475 GroupMember.active_without_invites_and_requests 476 .non_minimal_access 477 .where(source_id: id) 478 end 479 480 def authorizable_members_with_parents 481 source_ids = 482 if has_parent? 483 self_and_ancestors.reorder(nil).select(:id) 484 else 485 id 486 end 487 488 group_hierarchy_members = GroupMember.where(source_id: source_ids).select(*GroupMember.cached_column_list) 489 490 GroupMember.from_union([group_hierarchy_members, 491 members_from_self_and_ancestor_group_shares]).authorizable 492 end 493 494 def members_with_parents 495 # Avoids an unnecessary SELECT when the group has no parents 496 source_ids = 497 if has_parent? 498 self_and_ancestors.reorder(nil).select(:id) 499 else 500 id 501 end 502 503 group_hierarchy_members = GroupMember.active_without_invites_and_requests 504 .non_minimal_access 505 .where(source_id: source_ids) 506 .select(*GroupMember.cached_column_list) 507 508 GroupMember.from_union([group_hierarchy_members, 509 members_from_self_and_ancestor_group_shares]) 510 end 511 512 def members_from_self_and_ancestors_with_effective_access_level 513 members_with_parents.select([:user_id, 'MAX(access_level) AS access_level']) 514 .group(:user_id) 515 end 516 517 def members_with_descendants 518 GroupMember 519 .active_without_invites_and_requests 520 .where(source_id: self_and_descendants.reorder(nil).select(:id)) 521 end 522 523 # Returns all members that are part of the group, it's subgroups, and ancestor groups 524 def direct_and_indirect_members 525 GroupMember 526 .active_without_invites_and_requests 527 .where(source_id: self_and_hierarchy.reorder(nil).select(:id)) 528 end 529 530 def direct_and_indirect_members_with_inactive 531 GroupMember 532 .non_request 533 .non_invite 534 .where(source_id: self_and_hierarchy.reorder(nil).select(:id)) 535 end 536 537 def users_with_parents 538 User 539 .where(id: members_with_parents.select(:user_id)) 540 .reorder(nil) 541 end 542 543 def users_with_descendants 544 User 545 .where(id: members_with_descendants.select(:user_id)) 546 .reorder(nil) 547 end 548 549 # Returns all users that are members of the group because: 550 # 1. They belong to the group 551 # 2. They belong to a project that belongs to the group 552 # 3. They belong to a sub-group or project in such sub-group 553 # 4. They belong to an ancestor group 554 def direct_and_indirect_users 555 User.from_union([ 556 User 557 .where(id: direct_and_indirect_members.select(:user_id)) 558 .reorder(nil), 559 project_users_with_descendants 560 ]) 561 end 562 563 # Returns all users (also inactive) that are members of the group because: 564 # 1. They belong to the group 565 # 2. They belong to a project that belongs to the group 566 # 3. They belong to a sub-group or project in such sub-group 567 # 4. They belong to an ancestor group 568 def direct_and_indirect_users_with_inactive 569 User.from_union([ 570 User 571 .where(id: direct_and_indirect_members_with_inactive.select(:user_id)) 572 .reorder(nil), 573 project_users_with_descendants 574 ]) 575 end 576 577 def users_count 578 members.count 579 end 580 581 # Returns all users that are members of projects 582 # belonging to the current group or sub-groups 583 def project_users_with_descendants 584 User 585 .joins(projects: :group) 586 .where(namespaces: { id: self_and_descendants.select(:id) }) 587 end 588 589 # Return the highest access level for a user 590 # 591 # A special case is handled here when the user is a GitLab admin 592 # which implies it has "OWNER" access everywhere, but should not 593 # officially appear as a member of a group unless specifically added to it 594 # 595 # @param user [User] 596 # @param only_concrete_membership [Bool] whether require admin concrete membership status 597 def max_member_access_for_user(user, only_concrete_membership: false) 598 return GroupMember::NO_ACCESS unless user 599 return GroupMember::OWNER if user.can_admin_all_resources? && !only_concrete_membership 600 601 max_member_access([user.id])[user.id] 602 end 603 604 def mattermost_team_params 605 max_length = 59 606 607 { 608 name: path[0..max_length], 609 display_name: name[0..max_length], 610 type: public? ? 'O' : 'I' # Open vs Invite-only 611 } 612 end 613 614 def ci_variables_for(ref, project, environment: nil) 615 cache_key = "ci_variables_for:group:#{self&.id}:project:#{project&.id}:ref:#{ref}:environment:#{environment}" 616 617 ::Gitlab::SafeRequestStore.fetch(cache_key) do 618 uncached_ci_variables_for(ref, project, environment: environment) 619 end 620 end 621 622 def group_member(user) 623 if group_members.loaded? 624 group_members.find { |gm| gm.user_id == user.id } 625 else 626 group_members.find_by(user_id: user) 627 end 628 end 629 630 def highest_group_member(user) 631 GroupMember.where(source_id: self_and_ancestors_ids, user_id: user.id).order(:access_level).last 632 end 633 634 def related_group_ids 635 [id, 636 *ancestors.pluck(:id), 637 *shared_with_group_links.pluck(:shared_with_group_id)] 638 end 639 640 def hashed_storage?(_feature) 641 false 642 end 643 644 def refresh_project_authorizations 645 refresh_members_authorized_projects(blocking: false) 646 end 647 648 # each existing group needs to have a `runners_token`. 649 # we do this on read since migrating all existing groups is not a feasible 650 # solution. 651 def runners_token 652 ensure_runners_token! 653 end 654 655 def project_creation_level 656 super || ::Gitlab::CurrentSettings.default_project_creation 657 end 658 659 def subgroup_creation_level 660 super || ::Gitlab::Access::OWNER_SUBGROUP_ACCESS 661 end 662 663 def access_request_approvers_to_be_notified 664 members.owners.connected_to_user.order_recent_sign_in.limit(Member::ACCESS_REQUEST_APPROVERS_TO_BE_NOTIFIED_LIMIT) 665 end 666 667 def membership_locked? 668 false # to support project and group calling this as 'source' 669 end 670 671 def supports_events? 672 false 673 end 674 675 def export_file_exists? 676 import_export_upload&.export_file_exists? 677 end 678 679 def export_file 680 import_export_upload&.export_file 681 end 682 683 def export_archive_exists? 684 import_export_upload&.export_archive_exists? 685 end 686 687 def adjourned_deletion? 688 false 689 end 690 691 def execute_hooks(data, hooks_scope) 692 # NOOP 693 # TODO: group hooks https://gitlab.com/gitlab-org/gitlab/-/issues/216904 694 end 695 696 def execute_integrations(data, hooks_scope) 697 # NOOP 698 # TODO: group hooks https://gitlab.com/gitlab-org/gitlab/-/issues/216904 699 end 700 701 def preload_shared_group_links 702 preloader = ActiveRecord::Associations::Preloader.new 703 preloader.preload(self, shared_with_group_links: [shared_with_group: :route]) 704 end 705 706 def update_shared_runners_setting!(state) 707 raise ArgumentError unless SHARED_RUNNERS_SETTINGS.include?(state) 708 709 case state 710 when SR_DISABLED_AND_UNOVERRIDABLE then disable_shared_runners! # also disallows override 711 when SR_DISABLED_WITH_OVERRIDE then disable_shared_runners_and_allow_override! 712 when SR_ENABLED then enable_shared_runners! # set both to true 713 end 714 end 715 716 def default_owner 717 owners.first || parent&.default_owner || owner 718 end 719 720 def default_branch_name 721 namespace_settings&.default_branch_name 722 end 723 724 def access_level_roles 725 GroupMember.access_level_roles 726 end 727 728 def access_level_values 729 access_level_roles.values 730 end 731 732 def parent_allows_two_factor_authentication? 733 return true unless has_parent? 734 735 ancestor_settings = ancestors.find_by(parent_id: nil).namespace_settings 736 ancestor_settings.allow_mfa_for_subgroups 737 end 738 739 def has_project_with_service_desk_enabled? 740 Gitlab::ServiceDesk.supported? && all_projects.service_desk_enabled.exists? 741 end 742 743 def activity_path 744 Gitlab::Routing.url_helpers.activity_group_path(self) 745 end 746 747 # rubocop: disable CodeReuse/ServiceClass 748 def open_issues_count(current_user = nil) 749 Groups::OpenIssuesCountService.new(self, current_user).count 750 end 751 # rubocop: enable CodeReuse/ServiceClass 752 753 # rubocop: disable CodeReuse/ServiceClass 754 def open_merge_requests_count(current_user = nil) 755 Groups::MergeRequestsCountService.new(self, current_user).count 756 end 757 # rubocop: enable CodeReuse/ServiceClass 758 759 def timelogs 760 Timelog.in_group(self) 761 end 762 763 def dependency_proxy_image_ttl_policy 764 super || build_dependency_proxy_image_ttl_policy 765 end 766 767 private 768 769 def max_member_access(user_ids) 770 max_member_access_for_resource_ids(User, user_ids) do |user_ids| 771 members_with_parents.where(user_id: user_ids).group(:user_id).maximum(:access_level) 772 end 773 end 774 775 def update_two_factor_requirement 776 return unless saved_change_to_require_two_factor_authentication? || saved_change_to_two_factor_grace_period? 777 778 direct_and_indirect_members.find_each(&:update_two_factor_requirement) 779 end 780 781 def path_changed_hook 782 system_hook_service.execute_hooks_for(self, :rename) 783 end 784 785 def visibility_level_allowed_by_parent 786 return if visibility_level_allowed_by_parent? 787 788 errors.add(:visibility_level, "#{visibility} is not allowed since the parent group has a #{parent.visibility} visibility.") 789 end 790 791 def visibility_level_allowed_by_projects 792 return if visibility_level_allowed_by_projects? 793 794 errors.add(:visibility_level, "#{visibility} is not allowed since this group contains projects with higher visibility.") 795 end 796 797 def visibility_level_allowed_by_sub_groups 798 return if visibility_level_allowed_by_sub_groups? 799 800 errors.add(:visibility_level, "#{visibility} is not allowed since there are sub-groups with higher visibility.") 801 end 802 803 def two_factor_authentication_allowed 804 return unless has_parent? 805 return unless require_two_factor_authentication 806 807 return if parent_allows_two_factor_authentication? 808 809 errors.add(:require_two_factor_authentication, _('is forbidden by a top-level group')) 810 end 811 812 def members_from_self_and_ancestor_group_shares 813 group_group_link_table = GroupGroupLink.arel_table 814 group_member_table = GroupMember.arel_table 815 816 source_ids = 817 if has_parent? 818 self_and_ancestors.reorder(nil).select(:id) 819 else 820 id 821 end 822 823 group_group_links_query = GroupGroupLink.where(shared_group_id: source_ids) 824 cte = Gitlab::SQL::CTE.new(:group_group_links_cte, group_group_links_query) 825 cte_alias = cte.table.alias(GroupGroupLink.table_name) 826 827 # Instead of members.access_level, we need to maximize that access_level at 828 # the respective group_group_links.group_access. 829 member_columns = GroupMember.attribute_names.map do |column_name| 830 if column_name == 'access_level' 831 smallest_value_arel([cte_alias[:group_access], group_member_table[:access_level]], 832 'access_level') 833 else 834 group_member_table[column_name] 835 end 836 end 837 838 GroupMember 839 .with(cte.to_arel) 840 .select(*member_columns) 841 .from([group_member_table, cte.alias_to(group_group_link_table)]) 842 .where(group_member_table[:requested_at].eq(nil)) 843 .where(group_member_table[:source_id].eq(group_group_link_table[:shared_with_group_id])) 844 .where(group_member_table[:source_type].eq('Namespace')) 845 .non_minimal_access 846 end 847 848 def smallest_value_arel(args, column_alias) 849 Arel::Nodes::As.new( 850 Arel::Nodes::NamedFunction.new('LEAST', args), 851 Arel::Nodes::SqlLiteral.new(column_alias)) 852 end 853 854 def self.groups_including_descendants_by(group_ids) 855 Group.where(id: group_ids).self_and_descendants 856 end 857 858 def disable_shared_runners! 859 update!( 860 shared_runners_enabled: false, 861 allow_descendants_override_disabled_shared_runners: false) 862 863 group_ids = descendants 864 unless group_ids.empty? 865 Group.by_id(group_ids).update_all( 866 shared_runners_enabled: false, 867 allow_descendants_override_disabled_shared_runners: false) 868 end 869 870 all_projects.update_all(shared_runners_enabled: false) 871 end 872 873 def disable_shared_runners_and_allow_override! 874 # enabled -> disabled_with_override 875 if shared_runners_enabled? 876 update!( 877 shared_runners_enabled: false, 878 allow_descendants_override_disabled_shared_runners: true) 879 880 group_ids = descendants 881 unless group_ids.empty? 882 Group.by_id(group_ids).update_all(shared_runners_enabled: false) 883 end 884 885 all_projects.update_all(shared_runners_enabled: false) 886 887 # disabled_and_unoverridable -> disabled_with_override 888 else 889 update!(allow_descendants_override_disabled_shared_runners: true) 890 end 891 end 892 893 def enable_shared_runners! 894 update!(shared_runners_enabled: true) 895 end 896 897 def uncached_ci_variables_for(ref, project, environment: nil) 898 list_of_ids = if root_ancestor.use_traversal_ids? 899 [self] + ancestors(hierarchy_order: :asc) 900 else 901 [self] + ancestors 902 end 903 904 variables = Ci::GroupVariable.where(group: list_of_ids) 905 variables = variables.unprotected unless project.protected_for?(ref) 906 907 variables = if environment 908 variables.on_environment(environment) 909 else 910 variables.where(environment_scope: '*') 911 end 912 913 variables = variables.group_by(&:group_id) 914 list_of_ids.reverse.flat_map { |group| variables[group.id] }.compact 915 end 916end 917 918Group.prepend_mod_with('Group') 919