2018-11-18 11:00:15 +05:30
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
2017-09-10 17:25:29 +05:30
|
|
|
require_dependency 'declarative_policy'
|
|
|
|
|
|
2014-09-02 18:07:02 +05:30
|
|
|
class Ability
|
|
|
|
|
class << self
|
2016-06-16 23:09:34 +05:30
|
|
|
# Given a list of users and a project this method returns the users that can
|
|
|
|
|
# read the given project.
|
|
|
|
|
def users_that_can_read_project(users, project)
|
2017-09-10 17:25:29 +05:30
|
|
|
DeclarativePolicy.subject_scope do
|
|
|
|
|
users.select { |u| allowed?(u, :read_project, project) }
|
2016-06-16 23:09:34 +05:30
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2018-10-15 14:42:47 +05:30
|
|
|
# Given a list of users and a group this method returns the users that can
|
|
|
|
|
# read the given group.
|
|
|
|
|
def users_that_can_read_group(users, group)
|
|
|
|
|
DeclarativePolicy.subject_scope do
|
|
|
|
|
users.select { |u| allowed?(u, :read_group, group) }
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2017-08-17 22:00:37 +05:30
|
|
|
# Given a list of users and a snippet this method returns the users that can
|
|
|
|
|
# read the given snippet.
|
|
|
|
|
def users_that_can_read_personal_snippet(users, snippet)
|
2017-09-10 17:25:29 +05:30
|
|
|
DeclarativePolicy.subject_scope do
|
2020-03-13 15:44:24 +05:30
|
|
|
users.select { |u| allowed?(u, :read_snippet, snippet) }
|
2017-08-17 22:00:37 +05:30
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2016-09-13 17:45:13 +05:30
|
|
|
# Returns an Array of Issues that can be read by the given user.
|
|
|
|
|
#
|
|
|
|
|
# issues - The issues to reduce down to those readable by the user.
|
|
|
|
|
# user - The User for which to check the issues
|
2018-03-27 19:54:05 +05:30
|
|
|
# filters - A hash of abilities and filters to apply if the user lacks this
|
|
|
|
|
# ability
|
|
|
|
|
def issues_readable_by_user(issues, user = nil, filters: {})
|
|
|
|
|
issues = apply_filters_if_needed(issues, user, filters)
|
|
|
|
|
|
2017-09-10 17:25:29 +05:30
|
|
|
DeclarativePolicy.user_scope do
|
|
|
|
|
issues.select { |issue| issue.visible_to_user?(user) }
|
|
|
|
|
end
|
2016-09-13 17:45:13 +05:30
|
|
|
end
|
|
|
|
|
|
2018-03-27 19:54:05 +05:30
|
|
|
# Returns an Array of MergeRequests that can be read by the given user.
|
|
|
|
|
#
|
2020-04-08 14:13:33 +05:30
|
|
|
# merge_requests - MRs out of which to collect MRs readable by the user.
|
2018-03-27 19:54:05 +05:30
|
|
|
# user - The User for which to check the merge_requests
|
|
|
|
|
# filters - A hash of abilities and filters to apply if the user lacks this
|
|
|
|
|
# ability
|
|
|
|
|
def merge_requests_readable_by_user(merge_requests, user = nil, filters: {})
|
|
|
|
|
merge_requests = apply_filters_if_needed(merge_requests, user, filters)
|
|
|
|
|
|
|
|
|
|
DeclarativePolicy.user_scope do
|
|
|
|
|
merge_requests.select { |mr| allowed?(user, :read_merge_request, mr) }
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2017-09-10 17:25:29 +05:30
|
|
|
def allowed?(user, action, subject = :global, opts = {})
|
|
|
|
|
if subject.is_a?(Hash)
|
|
|
|
|
opts, subject = subject, :global
|
|
|
|
|
end
|
2015-11-26 14:37:03 +05:30
|
|
|
|
2017-09-10 17:25:29 +05:30
|
|
|
policy = policy_for(user, subject)
|
2016-08-24 12:49:21 +05:30
|
|
|
|
2017-09-10 17:25:29 +05:30
|
|
|
case opts[:scope]
|
|
|
|
|
when :user
|
|
|
|
|
DeclarativePolicy.user_scope { policy.can?(action) }
|
|
|
|
|
when :subject
|
|
|
|
|
DeclarativePolicy.subject_scope { policy.can?(action) }
|
|
|
|
|
else
|
|
|
|
|
policy.can?(action)
|
|
|
|
|
end
|
2015-04-26 12:48:37 +05:30
|
|
|
end
|
2015-09-11 14:41:01 +05:30
|
|
|
|
2017-09-10 17:25:29 +05:30
|
|
|
def policy_for(user, subject = :global)
|
2018-12-05 23:21:45 +05:30
|
|
|
cache = Gitlab::SafeRequestStore.active? ? Gitlab::SafeRequestStore : {}
|
2017-09-10 17:25:29 +05:30
|
|
|
DeclarativePolicy.policy_for(user, subject, cache: cache)
|
2016-08-24 12:49:21 +05:30
|
|
|
end
|
2018-03-27 19:54:05 +05:30
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
|
|
def apply_filters_if_needed(elements, user, filters)
|
|
|
|
|
filters.each do |ability, filter|
|
|
|
|
|
elements = filter.call(elements) unless allowed?(user, ability)
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
elements
|
|
|
|
|
end
|
2014-09-02 18:07:02 +05:30
|
|
|
end
|
|
|
|
|
end
|
