2019-10-12 21:52:04 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
# This class relies on Common Table Expressions to efficiently get all data,
|
|
|
|
# including data for nested groups.
|
|
|
|
module Gitlab
|
|
|
|
class ProjectAuthorizations
|
|
|
|
attr_reader :user
|
|
|
|
|
|
|
|
# user - The User object for which to calculate the authorizations.
|
|
|
|
def initialize(user)
|
|
|
|
@user = user
|
|
|
|
end
|
|
|
|
|
|
|
|
def calculate
|
2023-07-09 08:55:56 +05:30
|
|
|
cte = if Feature.enabled?(:linear_project_authorization, user)
|
|
|
|
linear_cte
|
|
|
|
else
|
|
|
|
recursive_cte
|
|
|
|
end
|
|
|
|
|
2019-10-12 21:52:04 +05:30
|
|
|
cte_alias = cte.table.alias(Group.table_name)
|
|
|
|
projects = Project.arel_table
|
|
|
|
links = ProjectGroupLink.arel_table
|
|
|
|
|
|
|
|
relations = [
|
|
|
|
# The project a user has direct access to.
|
2022-04-04 11:22:00 +05:30
|
|
|
user.projects_with_active_memberships.select_for_project_authorization,
|
2019-10-12 21:52:04 +05:30
|
|
|
|
|
|
|
# The personal projects of the user.
|
2022-05-07 20:08:51 +05:30
|
|
|
user.personal_projects.select_project_owner_for_project_authorization,
|
2019-10-12 21:52:04 +05:30
|
|
|
|
|
|
|
# Projects that belong directly to any of the groups the user has
|
|
|
|
# access to.
|
|
|
|
Namespace
|
|
|
|
.unscoped
|
|
|
|
.select([alias_as_column(projects[:id], 'project_id'),
|
|
|
|
cte_alias[:access_level]])
|
|
|
|
.from(cte_alias)
|
|
|
|
.joins(:projects),
|
|
|
|
|
|
|
|
# Projects shared with any of the namespaces the user has access to.
|
|
|
|
Namespace
|
|
|
|
.unscoped
|
|
|
|
.select([
|
2022-11-25 23:54:43 +05:30
|
|
|
links[:project_id],
|
|
|
|
least(cte_alias[:access_level], links[:group_access], 'access_level')
|
|
|
|
])
|
2019-10-12 21:52:04 +05:30
|
|
|
.from(cte_alias)
|
|
|
|
.joins('INNER JOIN project_group_links ON project_group_links.group_id = namespaces.id')
|
|
|
|
.joins('INNER JOIN projects ON projects.id = project_group_links.project_id')
|
|
|
|
.joins('INNER JOIN namespaces p_ns ON p_ns.id = projects.namespace_id')
|
|
|
|
.where('p_ns.share_with_group_lock IS FALSE')
|
|
|
|
]
|
|
|
|
|
2023-07-09 08:55:56 +05:30
|
|
|
if Feature.enabled?(:linear_project_authorization, user)
|
|
|
|
ProjectAuthorization
|
|
|
|
.unscoped
|
|
|
|
.with(cte.to_arel)
|
|
|
|
.select_from_union(relations)
|
|
|
|
else
|
|
|
|
ProjectAuthorization
|
|
|
|
.unscoped
|
|
|
|
.with
|
|
|
|
.recursive(cte.to_arel)
|
|
|
|
.select_from_union(relations)
|
|
|
|
end
|
2019-10-12 21:52:04 +05:30
|
|
|
end
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
# Builds a recursive CTE that gets all the groups the current user has
|
2019-12-26 22:10:19 +05:30
|
|
|
# access to, including any nested groups and any shared groups.
|
2019-10-12 21:52:04 +05:30
|
|
|
def recursive_cte
|
|
|
|
cte = Gitlab::SQL::RecursiveCTE.new(:namespaces_cte)
|
|
|
|
members = Member.arel_table
|
|
|
|
namespaces = Namespace.arel_table
|
2020-03-07 23:17:34 +05:30
|
|
|
group_group_links = GroupGroupLink.arel_table
|
2019-10-12 21:52:04 +05:30
|
|
|
|
|
|
|
# Namespaces the user is a member of.
|
2022-04-04 11:22:00 +05:30
|
|
|
cte << user.groups_with_active_memberships
|
2019-10-12 21:52:04 +05:30
|
|
|
.select([namespaces[:id], members[:access_level]])
|
|
|
|
.except(:order)
|
|
|
|
|
2020-03-07 23:17:34 +05:30
|
|
|
# Namespaces shared with any of the group
|
|
|
|
cte << Group.select([namespaces[:id],
|
|
|
|
least(members[:access_level],
|
|
|
|
group_group_links[:group_access],
|
|
|
|
'access_level')])
|
2020-02-15 18:32:13 +05:30
|
|
|
.joins(join_group_group_links)
|
|
|
|
.joins(join_members_on_group_group_links)
|
2019-12-26 22:10:19 +05:30
|
|
|
|
2019-10-12 21:52:04 +05:30
|
|
|
# Sub groups of any groups the user is a member of.
|
|
|
|
cte << Group.select([
|
2022-11-25 23:54:43 +05:30
|
|
|
namespaces[:id],
|
|
|
|
greatest(members[:access_level], cte.table[:access_level], 'access_level')
|
|
|
|
])
|
2019-10-12 21:52:04 +05:30
|
|
|
.joins(join_cte(cte))
|
2019-12-26 22:10:19 +05:30
|
|
|
.joins(join_members_on_namespaces)
|
2019-10-12 21:52:04 +05:30
|
|
|
.except(:order)
|
|
|
|
|
|
|
|
cte
|
|
|
|
end
|
|
|
|
|
2023-07-09 08:55:56 +05:30
|
|
|
def linear_cte
|
|
|
|
# Groups shared with user and their parent groups
|
|
|
|
shared_groups = Group
|
|
|
|
.select("namespaces.id, MAX(LEAST(members.access_level, group_group_links.group_access)) as access_level")
|
|
|
|
.joins("INNER JOIN group_group_links ON group_group_links.shared_group_id = namespaces.id
|
|
|
|
OR namespaces.traversal_ids @> ARRAY[group_group_links.shared_group_id::int]")
|
|
|
|
.joins("INNER JOIN members ON group_group_links.shared_with_group_id = members.source_id")
|
|
|
|
.merge(user.group_members)
|
|
|
|
.merge(GroupMember.active_state)
|
|
|
|
.group("namespaces.id")
|
|
|
|
|
|
|
|
# Groups the user is a member of and their parent groups.
|
|
|
|
lateral_query = Group.as_ids.where("namespaces.traversal_ids @> ARRAY [members.source_id]")
|
|
|
|
member_groups_with_ancestors = GroupMember.select("namespaces.id, MAX(members.access_level) as access_level")
|
|
|
|
.joins("CROSS JOIN LATERAL (#{lateral_query.to_sql}) as namespaces")
|
|
|
|
.group("namespaces.id")
|
|
|
|
.merge(user.group_members)
|
|
|
|
.merge(GroupMember.active_state)
|
|
|
|
|
|
|
|
union = Namespace.from_union([shared_groups, member_groups_with_ancestors])
|
|
|
|
|
|
|
|
Gitlab::SQL::CTE.new(:linear_namespaces_cte, union)
|
|
|
|
end
|
|
|
|
|
2019-10-12 21:52:04 +05:30
|
|
|
# Builds a LEFT JOIN to join optional memberships onto the CTE.
|
2019-12-26 22:10:19 +05:30
|
|
|
def join_members_on_namespaces
|
2019-10-12 21:52:04 +05:30
|
|
|
members = Member.arel_table
|
|
|
|
namespaces = Namespace.arel_table
|
|
|
|
|
|
|
|
cond = members[:source_id]
|
|
|
|
.eq(namespaces[:id])
|
|
|
|
.and(members[:source_type].eq('Namespace'))
|
|
|
|
.and(members[:requested_at].eq(nil))
|
|
|
|
.and(members[:user_id].eq(user.id))
|
2022-04-04 11:22:00 +05:30
|
|
|
.and(members[:state].eq(::Member::STATE_ACTIVE))
|
2020-11-24 15:15:51 +05:30
|
|
|
.and(members[:access_level].gt(Gitlab::Access::MINIMAL_ACCESS))
|
2019-10-12 21:52:04 +05:30
|
|
|
|
|
|
|
Arel::Nodes::OuterJoin.new(members, Arel::Nodes::On.new(cond))
|
|
|
|
end
|
|
|
|
|
2019-12-26 22:10:19 +05:30
|
|
|
def join_group_group_links
|
|
|
|
group_group_links = GroupGroupLink.arel_table
|
|
|
|
namespaces = Namespace.arel_table
|
|
|
|
|
|
|
|
cond = group_group_links[:shared_group_id].eq(namespaces[:id])
|
|
|
|
Arel::Nodes::InnerJoin.new(group_group_links, Arel::Nodes::On.new(cond))
|
|
|
|
end
|
|
|
|
|
|
|
|
def join_members_on_group_group_links
|
|
|
|
group_group_links = GroupGroupLink.arel_table
|
|
|
|
members = Member.arel_table
|
|
|
|
|
|
|
|
cond = group_group_links[:shared_with_group_id].eq(members[:source_id])
|
2020-02-15 18:32:13 +05:30
|
|
|
.and(members[:source_type].eq('Namespace'))
|
|
|
|
.and(members[:requested_at].eq(nil))
|
2019-12-26 22:10:19 +05:30
|
|
|
.and(members[:user_id].eq(user.id))
|
2022-04-04 11:22:00 +05:30
|
|
|
.and(members[:state].eq(::Member::STATE_ACTIVE))
|
2020-11-24 15:15:51 +05:30
|
|
|
.and(members[:access_level].gt(Gitlab::Access::MINIMAL_ACCESS))
|
2019-12-26 22:10:19 +05:30
|
|
|
Arel::Nodes::InnerJoin.new(members, Arel::Nodes::On.new(cond))
|
|
|
|
end
|
|
|
|
|
2019-10-12 21:52:04 +05:30
|
|
|
# Builds an INNER JOIN to join namespaces onto the CTE.
|
|
|
|
def join_cte(cte)
|
|
|
|
namespaces = Namespace.arel_table
|
|
|
|
cond = cte.table[:id].eq(namespaces[:parent_id])
|
|
|
|
|
|
|
|
Arel::Nodes::InnerJoin.new(cte.table, Arel::Nodes::On.new(cond))
|
|
|
|
end
|
|
|
|
|
|
|
|
def greatest(left, right, column_alias)
|
|
|
|
sql_function('GREATEST', [left, right], column_alias)
|
|
|
|
end
|
|
|
|
|
|
|
|
def least(left, right, column_alias)
|
|
|
|
sql_function('LEAST', [left, right], column_alias)
|
|
|
|
end
|
|
|
|
|
|
|
|
def sql_function(name, args, column_alias)
|
|
|
|
alias_as_column(Arel::Nodes::NamedFunction.new(name, args), column_alias)
|
|
|
|
end
|
|
|
|
|
|
|
|
def alias_as_column(value, alias_to)
|
|
|
|
Arel::Nodes::As.new(value, Arel::Nodes::SqlLiteral.new(alias_to))
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|