debian-mirror-gitlab/app/policies/global_policy.rb

# frozen_string_literal: true

class GlobalPolicy < BasePolicy
  desc "User is an internal user"
  with_options scope: :user, score: 0
  condition(:internal) { @user&.internal? }

  desc "User's access has been locked"
  with_options scope: :user, score: 0
  condition(:access_locked) { @user&.access_locked? }

  condition(:can_create_fork, scope: :user) { @user && @user.manageable_namespaces.any? { |namespace| @user.can?(:create_projects, namespace) } }

  condition(:required_terms_not_accepted, scope: :user, score: 0) do
    @user&.required_terms_not_accepted?
  end

  condition(:project_bot, scope: :user) { @user&.project_bot? }
  condition(:migration_bot, scope: :user) { @user&.migration_bot? }

  rule { anonymous }.policy do
    prevent :log_in
    prevent :receive_notifications
    prevent :use_quick_actions
    prevent :create_group
  end

  rule { default }.policy do
    enable :log_in
    enable :access_api
    enable :access_git
    enable :receive_notifications
    enable :use_quick_actions
    enable :use_slash_commands
  end

  rule { inactive }.policy do
    prevent :log_in
    prevent :access_api
    prevent :access_git
    prevent :use_slash_commands
  end

  rule { blocked | internal }.policy do
    prevent :log_in
    prevent :access_api
    prevent :receive_notifications
    prevent :use_slash_commands
  end

  rule { blocked | (internal & ~migration_bot) }.policy do
    prevent :access_git
  end

  rule { project_bot }.policy do
    prevent :log_in
    prevent :receive_notifications
  end

  rule { deactivated }.policy do
    prevent :access_git
    prevent :access_api
    prevent :receive_notifications
    prevent :use_slash_commands
  end

  rule { required_terms_not_accepted }.policy do
    prevent :access_api
    prevent :access_git
  end

  rule { can_create_group }.policy do
    enable :create_group
  end

  rule { can?(:create_group) }.policy do
    enable :create_group_with_default_branch_protection
  end

  rule { can_create_fork }.policy do
    enable :create_fork
  end

  rule { access_locked }.policy do
    prevent :log_in
    prevent :use_slash_commands
  end

  rule { ~(anonymous & restricted_public_level) }.policy do
    enable :read_users_list
  end

  rule { ~anonymous }.policy do
    enable :read_instance_metadata
    enable :create_snippet
  end

  rule { admin }.policy do
    enable :read_custom_attribute
    enable :update_custom_attribute
    enable :approve_user
  end

  # We can't use `read_statistics` because the user may have different permissions for different projects
  rule { admin }.enable :use_project_statistics_filters

  rule { external_user }.prevent :create_snippet
end

GlobalPolicy.prepend_if_ee('EE::GlobalPolicy')
New upstream version 11.2.8+dfsg 2018-11-18 11:00:15 +05:30			`# frozen_string_literal: true`

New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30			`class GlobalPolicy < BasePolicy`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`desc "User is an internal user"`
			`with_options scope: :user, score: 0`
New upstream version 10.8.7+dfsg 2018-10-15 14:42:47 +05:30			`condition(:internal) { @user&.internal? }`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30
			`desc "User's access has been locked"`
			`with_options scope: :user, score: 0`
New upstream version 10.8.7+dfsg 2018-10-15 14:42:47 +05:30			`condition(:access_locked) { @user&.access_locked? }`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30
New upstream version 10.8.7+dfsg 2018-10-15 14:42:47 +05:30			`condition(:can_create_fork, scope: :user) { @user && @user.manageable_namespaces.any? { \|namespace\| @user.can?(:create_projects, namespace) } }`

			`condition(:required_terms_not_accepted, scope: :user, score: 0) do`
			`@user&.required_terms_not_accepted?`
			`end`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`condition(:project_bot, scope: :user) { @user&.project_bot? }`
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`condition(:migration_bot, scope: :user) { @user&.migration_bot? }`
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`rule { anonymous }.policy do`
			`prevent :log_in`
			`prevent :receive_notifications`
			`prevent :use_quick_actions`
			`prevent :create_group`
			`end`

			`rule { default }.policy do`
			`enable :log_in`
			`enable :access_api`
			`enable :access_git`
			`enable :receive_notifications`
			`enable :use_quick_actions`
New upstream version 11.11.7+dfsg 2019-07-31 22:56:46 +05:30			`enable :use_slash_commands`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`end`

New upstream version 12.6.6 2020-02-01 01:16:34 +05:30			`rule { inactive }.policy do`
			`prevent :log_in`
			`prevent :access_api`
			`prevent :access_git`
			`prevent :use_slash_commands`
			`end`

New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`rule { blocked \| internal }.policy do`
			`prevent :log_in`
			`prevent :access_api`
			`prevent :receive_notifications`
New upstream version 11.11.7+dfsg 2019-07-31 22:56:46 +05:30			`prevent :use_slash_commands`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`end`

New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`rule { blocked \| (internal & ~migration_bot) }.policy do`
			`prevent :access_git`
			`end`

New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`rule { project_bot }.policy do`
			`prevent :log_in`
			`prevent :receive_notifications`
			`end`

New upstream version 12.4.6 2019-12-21 20:55:43 +05:30			`rule { deactivated }.policy do`
			`prevent :access_git`
			`prevent :access_api`
			`prevent :receive_notifications`
			`prevent :use_slash_commands`
			`end`

New upstream version 10.8.7+dfsg 2018-10-15 14:42:47 +05:30			`rule { required_terms_not_accepted }.policy do`
			`prevent :access_api`
			`prevent :access_git`
			`end`

New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`rule { can_create_group }.policy do`
			`enable :create_group`
			`end`

New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`rule { can?(:create_group) }.policy do`
			`enable :create_group_with_default_branch_protection`
			`end`

New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`rule { can_create_fork }.policy do`
			`enable :create_fork`
			`end`

New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`rule { access_locked }.policy do`
			`prevent :log_in`
New upstream version 11.11.7+dfsg 2019-07-31 22:56:46 +05:30			`prevent :use_slash_commands`
New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`end`

			`rule { ~(anonymous & restricted_public_level) }.policy do`
			`enable :read_users_list`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30			`end`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`rule { ~anonymous }.policy do`
			`enable :read_instance_metadata`
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`enable :create_snippet`
New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`end`

New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`rule { admin }.policy do`
			`enable :read_custom_attribute`
			`enable :update_custom_attribute`
New upstream version 13.5.5 2021-01-03 14:25:43 +05:30			`enable :approve_user`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`end`
New upstream version 12.6.1 2020-01-01 13:55:28 +05:30
New upstream version 13.2.1 2020-07-28 23:09:34 +05:30			# We can't use `read_statistics` because the user may have different permissions for different projects
			`rule { admin }.enable :use_project_statistics_filters`

New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`rule { external_user }.prevent :create_snippet`
New upstream version 8.12.1+dfsg1 2016-09-29 09:46:39 +05:30			`end`
New upstream version 12.3.8 2019-12-04 20:38:33 +05:30
			`GlobalPolicy.prepend_if_ee('EE::GlobalPolicy')`