debian-mirror-gitlab/app/policies/note_policy.rb

# frozen_string_literal: true

class NotePolicy < BasePolicy
  include Gitlab::Utils::StrongMemoize

  delegate { @subject.resource_parent }
  delegate { @subject.noteable if DeclarativePolicy.has_policy?(@subject.noteable) }

  condition(:is_author) { @user && @subject.author == @user }
  condition(:is_noteable_author) { @user && @subject.noteable.try(:author_id) == @user.id }

  condition(:editable, scope: :subject) { @subject.editable? }

  condition(:can_read_noteable) { can?(:"read_#{@subject.noteable_ability_name}") }
  condition(:commit_is_deleted) { @subject.for_commit? && @subject.noteable.blank? }

  condition(:for_design) { @subject.for_design? }

  condition(:is_visible) { @subject.system_note_visible_for?(@user) }

  condition(:confidential, scope: :subject) { @subject.confidential? }

  condition(:can_read_confidential) do
    access_level >= Gitlab::Access::REPORTER || @subject.noteable_assignee_or_author?(@user) || admin?
  end

  rule { ~editable }.prevent :admin_note

  # If user can't read the issue/MR/etc then they should not be allowed to do anything to their own notes
  rule { ~can_read_noteable }.policy do
    prevent :admin_note
    prevent :resolve_note
    prevent :reposition_note
    prevent :award_emoji
  end

  # Special rule for deleted commits
  rule { ~(can_read_noteable | commit_is_deleted) }.policy do
    prevent :read_note
  end

  rule { is_author }.policy do
    enable :read_note
    enable :admin_note
    enable :resolve_note
  end

  rule { ~is_visible }.policy do
    prevent :read_note
    prevent :admin_note
    prevent :resolve_note
    prevent :reposition_note
    prevent :award_emoji
  end

  rule { is_noteable_author }.policy do
    enable :resolve_note
  end

  rule { can_read_confidential }.policy do
    enable :mark_note_as_confidential
  end

  rule { confidential & ~can_read_confidential }.policy do
    prevent :read_note
    prevent :admin_note
    prevent :resolve_note
    prevent :reposition_note
    prevent :award_emoji
  end

  rule { can?(:admin_note) | (for_design & can?(:create_note)) }.policy do
    enable :reposition_note
  end

  def parent_namespace
    strong_memoize(:parent_namespace) do
      next if @subject.is_a?(PersonalSnippet)
      next @subject.noteable.group if @subject.noteable.is_a?(Epic)

      @subject.project
    end
  end

  def access_level
    return -1 if @user.nil?
    return -1 unless parent_namespace

    lookup_access_level!
  end

  def lookup_access_level!
    return ::Gitlab::Access::REPORTER if alert_bot?

    if parent_namespace.is_a?(Project)
      parent_namespace.team.max_member_access(@user.id)
    else
      parent_namespace.max_member_access_for_user(@user)
    end
  end
end
New upstream version 11.2.8+dfsg 2018-11-18 11:00:15 +05:30			`# frozen_string_literal: true`

New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30			`class NotePolicy < BasePolicy`
New upstream version 12.9.2 2020-04-08 14:13:33 +05:30			`include Gitlab::Utils::StrongMemoize`

			`delegate { @subject.resource_parent }`
New upstream version 10.7.3+dfsg 2018-05-09 12:01:36 +05:30			`delegate { @subject.noteable if DeclarativePolicy.has_policy?(@subject.noteable) }`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`condition(:is_author) { @user && @subject.author == @user }`
New upstream version 13.6.5 2021-01-29 00:20:46 +05:30			`condition(:is_noteable_author) { @user && @subject.noteable.try(:author_id) == @user.id }`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`condition(:editable, scope: :subject) { @subject.editable? }`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30
New upstream version 12.2.9 2019-10-31 01:37:42 +05:30			`condition(:can_read_noteable) { can?(:"read_#{@subject.noteable_ability_name}") }`
New upstream version 12.9.2 2020-04-08 14:13:33 +05:30			`condition(:commit_is_deleted) { @subject.for_commit? && @subject.noteable.blank? }`

New upstream version 13.6.5 2021-01-29 00:20:46 +05:30			`condition(:for_design) { @subject.for_design? }`

New upstream version 14.8.5+ds1 2022-04-04 11:22:00 +05:30			`condition(:is_visible) { @subject.system_note_visible_for?(@user) }`
New upstream version 12.9.2 2020-04-08 14:13:33 +05:30
			`condition(:confidential, scope: :subject) { @subject.confidential? }`
New upstream version 11.3.11+dfsg 2018-11-29 20:51:05 +05:30
New upstream version 12.9.2 2020-04-08 14:13:33 +05:30			`condition(:can_read_confidential) do`
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`access_level >= Gitlab::Access::REPORTER \|\| @subject.noteable_assignee_or_author?(@user) \|\| admin?`
New upstream version 12.9.2 2020-04-08 14:13:33 +05:30			`end`
New upstream version 12.1.12 2019-09-30 23:59:55 +05:30
New upstream version 10.7.3+dfsg 2018-05-09 12:01:36 +05:30			`rule { ~editable }.prevent :admin_note`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30
New upstream version 11.3.11+dfsg 2018-11-29 20:51:05 +05:30			`# If user can't read the issue/MR/etc then they should not be allowed to do anything to their own notes`
			`rule { ~can_read_noteable }.policy do`
			`prevent :admin_note`
			`prevent :resolve_note`
New upstream version 13.6.5 2021-01-29 00:20:46 +05:30			`prevent :reposition_note`
New upstream version 11.5.10+dfsg 2019-02-02 18:00:53 +05:30			`prevent :award_emoji`
New upstream version 11.3.11+dfsg 2018-11-29 20:51:05 +05:30			`end`

New upstream version 12.9.2 2020-04-08 14:13:33 +05:30			`# Special rule for deleted commits`
			`rule { ~(can_read_noteable \| commit_is_deleted) }.policy do`
			`prevent :read_note`
			`end`

New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`rule { is_author }.policy do`
			`enable :read_note`
			`enable :admin_note`
			`enable :resolve_note`
			`end`

New upstream version 12.1.12 2019-09-30 23:59:55 +05:30			`rule { ~is_visible }.policy do`
			`prevent :read_note`
			`prevent :admin_note`
			`prevent :resolve_note`
New upstream version 13.6.5 2021-01-29 00:20:46 +05:30			`prevent :reposition_note`
New upstream version 12.1.12 2019-09-30 23:59:55 +05:30			`prevent :award_emoji`
			`end`

New upstream version 10.7.3+dfsg 2018-05-09 12:01:36 +05:30			`rule { is_noteable_author }.policy do`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`enable :resolve_note`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30			`end`
New upstream version 12.9.2 2020-04-08 14:13:33 +05:30
New upstream version 13.10.3+ds1 2021-04-17 20:07:23 +05:30			`rule { can_read_confidential }.policy do`
			`enable :mark_note_as_confidential`
			`end`

New upstream version 12.9.2 2020-04-08 14:13:33 +05:30			`rule { confidential & ~can_read_confidential }.policy do`
			`prevent :read_note`
			`prevent :admin_note`
			`prevent :resolve_note`
New upstream version 13.6.5 2021-01-29 00:20:46 +05:30			`prevent :reposition_note`
New upstream version 12.9.2 2020-04-08 14:13:33 +05:30			`prevent :award_emoji`
			`end`

New upstream version 13.6.5 2021-01-29 00:20:46 +05:30			`rule { can?(:admin_note) \| (for_design & can?(:create_note)) }.policy do`
			`enable :reposition_note`
			`end`

New upstream version 12.9.2 2020-04-08 14:13:33 +05:30			`def parent_namespace`
			`strong_memoize(:parent_namespace) do`
			`next if @subject.is_a?(PersonalSnippet)`
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			`next @subject.noteable.group if @subject.noteable.is_a?(Epic)`
New upstream version 12.9.2 2020-04-08 14:13:33 +05:30
			`@subject.project`
			`end`
			`end`

			`def access_level`
			`return -1 if @user.nil?`
			`return -1 unless parent_namespace`

			`lookup_access_level!`
			`end`

			`def lookup_access_level!`
			`return ::Gitlab::Access::REPORTER if alert_bot?`

			`if parent_namespace.is_a?(Project)`
			`parent_namespace.team.max_member_access(@user.id)`
			`else`
			`parent_namespace.max_member_access_for_user(@user)`
			`end`
			`end`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30			`end`