debian-mirror-gitlab/app/models/project_feature.rb

# frozen_string_literal: true

class ProjectFeature < ApplicationRecord
  include Featurable

  FEATURES = %i(issues forking merge_requests wiki snippets builds repository pages metrics_dashboard analytics operations).freeze

  set_available_features(FEATURES)

  PRIVATE_FEATURES_MIN_ACCESS_LEVEL = { merge_requests: Gitlab::Access::REPORTER, metrics_dashboard: Gitlab::Access::REPORTER }.freeze
  PRIVATE_FEATURES_MIN_ACCESS_LEVEL_FOR_PRIVATE_PROJECT = { repository: Gitlab::Access::REPORTER }.freeze

  class << self
    def required_minimum_access_level(feature)
      feature = ensure_feature!(feature)

      PRIVATE_FEATURES_MIN_ACCESS_LEVEL.fetch(feature, Gitlab::Access::GUEST)
    end

    # Guest users can perform certain features on public and internal projects, but not private projects.
    def required_minimum_access_level_for_private_project(feature)
      feature = ensure_feature!(feature)

      PRIVATE_FEATURES_MIN_ACCESS_LEVEL_FOR_PRIVATE_PROJECT.fetch(feature) do
        required_minimum_access_level(feature)
      end
    end
  end

  # Default scopes force us to unscope here since a service may need to check
  # permissions for a project in pending_delete
  # http://stackoverflow.com/questions/1540645/how-to-disable-default-scope-for-a-belongs-to
  belongs_to :project, -> { unscope(where: :pending_delete) }

  validates :project, presence: true

  validate :repository_children_level
  validate :allowed_access_levels

  default_value_for :builds_access_level,            value: ENABLED, allows_nil: false
  default_value_for :issues_access_level,            value: ENABLED, allows_nil: false
  default_value_for :forking_access_level,           value: ENABLED, allows_nil: false
  default_value_for :merge_requests_access_level,    value: ENABLED, allows_nil: false
  default_value_for :snippets_access_level,          value: ENABLED, allows_nil: false
  default_value_for :wiki_access_level,              value: ENABLED, allows_nil: false
  default_value_for :repository_access_level,        value: ENABLED, allows_nil: false
  default_value_for :analytics_access_level,         value: ENABLED, allows_nil: false
  default_value_for :metrics_dashboard_access_level, value: PRIVATE, allows_nil: false
  default_value_for :operations_access_level,        value: ENABLED, allows_nil: false

  default_value_for(:pages_access_level, allows_nil: false) do |feature|
    if ::Gitlab::Pages.access_control_is_forced?
      PRIVATE
    else
      feature.project&.public? ? ENABLED : PRIVATE
    end
  end

  def public_pages?
    return true unless Gitlab.config.pages.access_control

    return false if ::Gitlab::Pages.access_control_is_forced?

    pages_access_level == PUBLIC || pages_access_level == ENABLED && project.public?
  end

  def private_pages?
    !public_pages?
  end

  private

  # Validates builds and merge requests access level
  # which cannot be higher than repository access level
  def repository_children_level
    validator = lambda do |field|
      level = public_send(field) || ENABLED # rubocop:disable GitlabSecurity/PublicSend
      not_allowed = level > repository_access_level
      self.errors.add(field, "cannot have higher visibility level than repository access level") if not_allowed
    end

    %i(merge_requests_access_level builds_access_level).each(&validator)
  end

  # Validates access level for other than pages cannot be PUBLIC
  def allowed_access_levels
    validator = lambda do |field|
      level = public_send(field) || ENABLED # rubocop:disable GitlabSecurity/PublicSend
      not_allowed = level > ENABLED
      self.errors.add(field, "cannot have public visibility level") if not_allowed
    end

    (FEATURES - %i(pages)).each {|f| validator.call("#{f}_access_level")}
  end

  def get_permission(user, feature)
    case access_level(feature)
    when DISABLED
      false
    when PRIVATE
      team_access?(user, feature)
    when ENABLED
      true
    when PUBLIC
      true
    else
      true
    end
  end

  def team_access?(user, feature)
    return unless user
    return true if user.can_read_all_resources?

    project.team.member?(user, ProjectFeature.required_minimum_access_level(feature))
  end
end

ProjectFeature.prepend_if_ee('EE::ProjectFeature')
New upstream version 11.2.8+dfsg 2018-11-18 11:00:15 +05:30			`# frozen_string_literal: true`

New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`class ProjectFeature < ApplicationRecord`
New upstream version 13.1.0 2020-06-23 00:09:42 +05:30			`include Featurable`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30
New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			`FEATURES = %i(issues forking merge_requests wiki snippets builds repository pages metrics_dashboard analytics operations).freeze`
New upstream version 13.1.0 2020-06-23 00:09:42 +05:30
			`set_available_features(FEATURES)`

New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`PRIVATE_FEATURES_MIN_ACCESS_LEVEL = { merge_requests: Gitlab::Access::REPORTER, metrics_dashboard: Gitlab::Access::REPORTER }.freeze`
New upstream version 12.3.8 2019-12-04 20:38:33 +05:30			`PRIVATE_FEATURES_MIN_ACCESS_LEVEL_FOR_PRIVATE_PROJECT = { repository: Gitlab::Access::REPORTER }.freeze`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30
New upstream version 8.13.6+dfsg1 2016-11-24 13:41:30 +05:30			`class << self`
New upstream version 11.7.5 2019-02-15 15:39:39 +05:30			`def required_minimum_access_level(feature)`
			`feature = ensure_feature!(feature)`

			`PRIVATE_FEATURES_MIN_ACCESS_LEVEL.fetch(feature, Gitlab::Access::GUEST)`
			`end`

New upstream version 12.3.8 2019-12-04 20:38:33 +05:30			`# Guest users can perform certain features on public and internal projects, but not private projects.`
			`def required_minimum_access_level_for_private_project(feature)`
			`feature = ensure_feature!(feature)`

			`PRIVATE_FEATURES_MIN_ACCESS_LEVEL_FOR_PRIVATE_PROJECT.fetch(feature) do`
			`required_minimum_access_level(feature)`
			`end`
			`end`
New upstream version 8.13.6+dfsg1 2016-11-24 13:41:30 +05:30			`end`

New upstream version 8.13.3+dfsg1 2016-11-03 12:29:30 +05:30			`# Default scopes force us to unscope here since a service may need to check`
			`# permissions for a project in pending_delete`
			`# http://stackoverflow.com/questions/1540645/how-to-disable-default-scope-for-a-belongs-to`
			`belongs_to :project, -> { unscope(where: :pending_delete) }`

New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`validates :project, presence: true`

New upstream version 8.13.3+dfsg1 2016-11-03 12:29:30 +05:30			`validate :repository_children_level`
New upstream version 11.4.9+dfsg 2018-12-05 23:21:45 +05:30			`validate :allowed_access_levels`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`default_value_for :builds_access_level, value: ENABLED, allows_nil: false`
			`default_value_for :issues_access_level, value: ENABLED, allows_nil: false`
			`default_value_for :forking_access_level, value: ENABLED, allows_nil: false`
			`default_value_for :merge_requests_access_level, value: ENABLED, allows_nil: false`
			`default_value_for :snippets_access_level, value: ENABLED, allows_nil: false`
			`default_value_for :wiki_access_level, value: ENABLED, allows_nil: false`
			`default_value_for :repository_access_level, value: ENABLED, allows_nil: false`
New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			`default_value_for :analytics_access_level, value: ENABLED, allows_nil: false`
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`default_value_for :metrics_dashboard_access_level, value: PRIVATE, allows_nil: false`
New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			`default_value_for :operations_access_level, value: ENABLED, allows_nil: false`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`default_value_for(:pages_access_level, allows_nil: false) do \|feature\|`
			`if ::Gitlab::Pages.access_control_is_forced?`
			`PRIVATE`
			`else`
			`feature.project&.public? ? ENABLED : PRIVATE`
			`end`
			`end`
New upstream version 12.1.11 2019-09-30 21:07:59 +05:30
New upstream version 11.4.9+dfsg 2018-12-05 23:21:45 +05:30			`def public_pages?`
			`return true unless Gitlab.config.pages.access_control`
New upstream version 11.2.8+dfsg 2018-11-18 11:00:15 +05:30
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`return false if ::Gitlab::Pages.access_control_is_forced?`

New upstream version 11.4.9+dfsg 2018-12-05 23:21:45 +05:30			`pages_access_level == PUBLIC \|\| pages_access_level == ENABLED && project.public?`
New upstream version 11.2.8+dfsg 2018-11-18 11:00:15 +05:30			`end`

New upstream version 12.3.8 2019-12-04 20:38:33 +05:30			`def private_pages?`
			`!public_pages?`
			`end`

New upstream version 11.4.9+dfsg 2018-12-05 23:21:45 +05:30			`private`

New upstream version 8.13.3+dfsg1 2016-11-03 12:29:30 +05:30			`# Validates builds and merge requests access level`
			`# which cannot be higher than repository access level`
			`def repository_children_level`
			`validator = lambda do \|field\|`
New upstream version 13.1.0 2020-06-23 00:09:42 +05:30			`level = public_send(field) \|\| ENABLED # rubocop:disable GitlabSecurity/PublicSend`
New upstream version 8.13.3+dfsg1 2016-11-03 12:29:30 +05:30			`not_allowed = level > repository_access_level`
			`self.errors.add(field, "cannot have higher visibility level than repository access level") if not_allowed`
			`end`

			`%i(merge_requests_access_level builds_access_level).each(&validator)`
			`end`

New upstream version 11.4.9+dfsg 2018-12-05 23:21:45 +05:30			`# Validates access level for other than pages cannot be PUBLIC`
			`def allowed_access_levels`
			`validator = lambda do \|field\|`
New upstream version 13.1.0 2020-06-23 00:09:42 +05:30			`level = public_send(field) \|\| ENABLED # rubocop:disable GitlabSecurity/PublicSend`
			`not_allowed = level > ENABLED`
New upstream version 11.4.9+dfsg 2018-12-05 23:21:45 +05:30			`self.errors.add(field, "cannot have public visibility level") if not_allowed`
			`end`

			`(FEATURES - %i(pages)).each {\|f\| validator.call("#{f}_access_level")}`
			`end`

New upstream version 11.8.2 2019-03-13 22:55:13 +05:30			`def get_permission(user, feature)`
			`case access_level(feature)`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30			`when DISABLED`
			`false`
			`when PRIVATE`
New upstream version 11.8.2 2019-03-13 22:55:13 +05:30			`team_access?(user, feature)`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30			`when ENABLED`
			`true`
New upstream version 11.4.9+dfsg 2018-12-05 23:21:45 +05:30			`when PUBLIC`
			`true`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30			`else`
			`true`
			`end`
			`end`
New upstream version 11.8.2 2019-03-13 22:55:13 +05:30
			`def team_access?(user, feature)`
			`return unless user`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30			`return true if user.can_read_all_resources?`
New upstream version 11.8.2 2019-03-13 22:55:13 +05:30
			`project.team.member?(user, ProjectFeature.required_minimum_access_level(feature))`
			`end`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30			`end`
New upstream version 12.3.8 2019-12-04 20:38:33 +05:30
			`ProjectFeature.prepend_if_ee('EE::ProjectFeature')`