Fix group authorization when searching epics

Follow-up of !93601. The MR from above did include only project direct memberships, we also need projects visible to user to be considered. Changelog: other EE: true

Fix group authorization when searching epics
7614aea2 · Felipe · fa682861 · 7614aea2 · 7614aea2
Commit 7614aea2 authored 2 years ago by Felipe
--- a/ee/app/models/ee/group.rb
+++ b/ee/app/models/ee/group.rb
@@ -289,8 +289,8 @@ def hierarchy_group_ids_authorized_by_share(user, groups_hierarchy, access_level

      def hierarchy_groups_authorized_by_project_membership(user, hierarchy_parent)
        group_ids_that_has_projects =
-          user.projects.for_group_and_its_subgroups(hierarchy_parent)
-            .select(:namespace_id)
+          ::Project.for_group_and_its_subgroups(hierarchy_parent)
+            .public_or_visible_to_user(user).select(:namespace_id)

        where(id: group_ids_that_has_projects).select('unnest(traversal_ids)')
      end

--- a/ee/spec/models/ee/group_spec.rb
+++ b/ee/spec/models/ee/group_spec.rb
@@ -325,6 +325,8 @@
        end

        context 'when same_root is false' do
+          let(:params) { { same_root: false } }
+
          it 'does not use filter optimization' do
            expect(Group).not_to receive(:filter_groups_user_can)

@@ -401,6 +403,18 @@
          let(:expected_groups) { [public_group, internal_subgroup, private_subgroup_with_project] }
        end
      end
+
+      context 'when user is member of a child group that has a project' do
+        let_it_be(:project) { create(:project, group: private_subgroup_2) }
+
+        before do
+          private_subgroup_2.add_guest(user)
+        end
+
+        it_behaves_like 'a filter for permissioned groups' do
+          let(:expected_groups) { [public_group, internal_subgroup, private_subgroup_1, private_subgroup_2] }
+        end
+      end
    end

    context 'for :read_confidential_epic permission' do