rubygems · landongrindheim · Jul 25, 2025 · Jul 29, 2025 · Jul 29, 2025 · Jul 30, 2025
diff --git a/app/models/rubygem.rb b/app/models/rubygem.rb
@@ -186,13 +186,17 @@ def indexed_versions?
   end
 
   def owned_by?(user)
-    return false unless user
-    ownerships.exists?(user_id: user.id) || (owned_by_organization? && user_authorized_for_organization?(user))
+    owned_by_with_role?(user, :maintainer)
   end
 
   def owned_by_with_role?(user, minimum_required_role)
     return false if user.blank?
-    ownerships.user_with_minimum_role(user, minimum_required_role).exists?
+
+    if owned_by_organization?
+      organization.memberships.where(user: user).with_minimum_role(minimum_required_role).exists?
+    else
+      ownerships.user_with_minimum_role(user, minimum_required_role).exists?
+    end
   rescue KeyError
     false
   end

diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb
@@ -37,14 +37,11 @@ def current_user?(record_user)
 
   def rubygem_owned_by?(user)
     rubygem.owned_by?(user) ||
-      organization_member_with_role?(user, :maintainer) ||
       deny(t(:forbidden))
   end
 
-  def rubygem_owned_by_with_role?(user, minimum_required_role:, minimum_required_org_role: :owner)
-    organization_member_with_role?(user, minimum_required_org_role) ||
-      rubygem.owned_by_with_role?(user, minimum_required_role) ||
-      deny(t(:forbidden))
+  def rubygem_owned_by_with_role?(user, minimum_required_role:)
+    rubygem.owned_by_with_role?(user, minimum_required_role) || deny(t(:forbidden))
   end
 
   def organization_member_with_role?(user, minimum_role)

diff --git a/app/policies/oidc/rubygem_trusted_publisher_policy.rb b/app/policies/oidc/rubygem_trusted_publisher_policy.rb
@@ -5,14 +5,14 @@ class Scope < ApplicationPolicy::Scope
   delegate :rubygem, to: :record
 
   def show?
-    rubygem_owned_by_with_role?(user, minimum_required_role: :owner, minimum_required_org_role: :admin)
+    rubygem_owned_by_with_role?(user, minimum_required_role: :owner)
   end
 
   def create?
-    rubygem_owned_by_with_role?(user, minimum_required_role: :owner, minimum_required_org_role: :admin)
+    rubygem_owned_by_with_role?(user, minimum_required_role: :owner)
   end
 
   def destroy?
-    rubygem_owned_by_with_role?(user, minimum_required_role: :owner, minimum_required_org_role: :admin)
+    rubygem_owned_by_with_role?(user, minimum_required_role: :owner)
   end
 end
diff --git a/app/policies/rubygem_policy.rb b/app/policies/rubygem_policy.rb
@@ -13,19 +13,19 @@ def create?
   end
 
   def configure_oidc?
-    rubygem_owned_by_with_role?(user, minimum_required_role: :owner, minimum_required_org_role: :admin)
+    rubygem_owned_by_with_role?(user, minimum_required_role: :admin)
   end
 
   def configure_trusted_publishers?
-    rubygem_owned_by_with_role?(user, minimum_required_role: :owner, minimum_required_org_role: :admin)
+    rubygem_owned_by_with_role?(user, minimum_required_role: :admin)
   end
 
   def show_events?
     rubygem_owned_by?(user)
   end
 
   def show_unconfirmed_ownerships?
-    rubygem_owned_by_with_role?(user, minimum_required_role: :owner, minimum_required_org_role: :admin)
+    rubygem_owned_by_with_role?(user, minimum_required_role: :admin)
   end
 
   def add_owner?

diff --git a/test/policies/rubygem_policy_test.rb b/test/policies/rubygem_policy_test.rb
@@ -48,12 +48,12 @@ def org_policy!(user)
       refute_authorized policy!(nil), :configure_oidc?
     end
 
-    should "only allow owners, org owners and admins" do
+    should "only allow org owners and admins when owned by an org" do
       assert_authorized org_policy!(@org_owner), :configure_oidc?
       assert_authorized org_policy!(@org_admin), :configure_oidc?
-      assert_authorized org_policy!(@owner), :configure_oidc?
 
       refute_authorized org_policy!(@org_maintainer), :configure_oidc?
+      refute_authorized org_policy!(@owner), :configure_oidc?
       refute_authorized org_policy!(@user), :configure_oidc?
       refute_authorized org_policy!(nil), :configure_oidc?
     end
@@ -71,10 +71,11 @@ def org_policy!(user)
       assert_authorized org_policy!(@org_owner), :show_events?
       assert_authorized org_policy!(@org_admin), :show_events?
       assert_authorized org_policy!(@org_maintainer), :show_events?
-      assert_authorized org_policy!(@owner), :show_events?
-      assert_authorized org_policy!(@maintainer), :show_events?
 
+      # the gem is owned by an org, so org membership is prioritized
       refute_authorized org_policy!(@user), :show_events?
+      refute_authorized org_policy!(@owner), :show_events?
+      refute_authorized org_policy!(@maintainer), :show_events?
       refute_authorized org_policy!(nil), :show_events?
     end
   end
@@ -87,12 +88,12 @@ def org_policy!(user)
       refute_authorized policy!(nil), :configure_trusted_publishers?
     end
 
-    should "only allow owners, org owners and admins" do
+    should "only allow org owners and admins when gem is owned by an org" do
       assert_authorized org_policy!(@org_owner), :configure_trusted_publishers?
       assert_authorized org_policy!(@org_admin), :configure_trusted_publishers?
-      assert_authorized org_policy!(@owner), :configure_trusted_publishers?
 
       refute_authorized org_policy!(@org_maintainer), :configure_trusted_publishers?
+      refute_authorized org_policy!(@owner), :configure_trusted_publishers?
       refute_authorized org_policy!(@maintainer), :configure_trusted_publishers?
       refute_authorized org_policy!(@user), :configure_trusted_publishers?
       refute_authorized org_policy!(nil), :configure_trusted_publishers?
@@ -107,12 +108,12 @@ def org_policy!(user)
       refute_authorized policy!(nil), :show_unconfirmed_ownerships?
     end
 
-    should "only allow owners, org owners and admins" do
+    should "only allow org owners and admins when gem is owned by an org" do
       assert_authorized org_policy!(@org_owner), :show_unconfirmed_ownerships?
       assert_authorized org_policy!(@org_admin), :show_unconfirmed_ownerships?
-      assert_authorized org_policy!(@owner), :show_unconfirmed_ownerships?
 
       refute_authorized org_policy!(@org_maintainer), :show_unconfirmed_ownerships?
+      refute_authorized org_policy!(@owner), :show_unconfirmed_ownerships?
       refute_authorized org_policy!(@user), :show_unconfirmed_ownerships?
       refute_authorized org_policy!(nil), :show_unconfirmed_ownerships?
     end