Prevent different OU types to be added to each other

2026-06-14 03:30:14 +00:00 · 2026-04-16 18:20:54 +02:00
parent 710eac52ba
commit 35f2942e26
3 changed files with 40 additions and 0 deletions
@@ -41,6 +41,7 @@ class Group < Principal
  end

  validate :no_circular_parent, if: -> { parent_id.present? }
+  validate :no_organizational_unit_mismatch, if: -> { parent_id.present? }

  # Register a partial to be rendered on the synchronized groups tab of the groups admin page
  #
@@ -170,4 +171,13 @@ class Group < Principal
      errors.add(:parent_id, :circular_dependency)
    end
  end
+
+  def no_organizational_unit_mismatch
+    parent = self.class.find_by(id: parent_id)
+    return unless parent
+
+    if organizational_unit? != parent.organizational_unit?
+      errors.add(:parent_id, :organizational_unit_mismatch)
+    end
+  end
 end
@@ -2107,6 +2107,7 @@ en:
          attributes:
            parent_id:
              circular_dependency: "would create a circular group hierarchy."
+              organizational_unit_mismatch: "must have the same organizational unit setting as the group."
        ldap_auth_source:
          attributes:
            tls_certificate_string:
@@ -363,6 +363,35 @@ RSpec.describe Group do
        expect(child).to be_valid
      end
    end
+
+    describe "organizational unit mismatch prevention" do
+      let(:department) { create(:department) }
+      let(:regular_group) { create(:group) }
+
+      it "is invalid when assigning organizational unit as parent to regular group" do
+        regular_group.parent_id = department.id
+        expect(regular_group).not_to be_valid
+        expect(regular_group.errors[:parent_id]).to be_present
+      end
+
+      it "is invalid when assigning regular group as parent to organizational unit" do
+        department.parent_id = regular_group.id
+        expect(department).not_to be_valid
+        expect(department.errors[:parent_id]).to be_present
+      end
+
+      it "is valid when both are organizational units" do
+        child_department = create(:department)
+        child_department.parent_id = department.id
+        expect(child_department).to be_valid
+      end
+
+      it "is valid when both are regular groups" do
+        child_group = create(:group)
+        child_group.parent_id = regular_group.id
+        expect(child_group).to be_valid
+      end
+    end
  end

  it_behaves_like "creates an audit trail on destroy" do