debian-mirror-gitlab/app/policies/group_policy.rb

132 lines
3.9 KiB
Ruby
Raw Normal View History

2018-11-18 11:00:15 +05:30
# frozen_string_literal: true
2016-09-29 09:46:39 +05:30
class GroupPolicy < BasePolicy
2017-09-10 17:25:29 +05:30
desc "Group is public"
with_options scope: :subject, score: 0
condition(:public_group) { @subject.public? }
with_score 0
condition(:logged_in_viewable) { @user && @subject.internal? && !@user.external? }
condition(:has_access) { access_level != GroupMember::NO_ACCESS }
2016-09-29 09:46:39 +05:30
2017-09-10 17:25:29 +05:30
condition(:guest) { access_level >= GroupMember::GUEST }
2018-03-17 18:26:18 +05:30
condition(:developer) { access_level >= GroupMember::DEVELOPER }
2017-09-10 17:25:29 +05:30
condition(:owner) { access_level >= GroupMember::OWNER }
2018-11-18 11:00:15 +05:30
condition(:maintainer) { access_level >= GroupMember::MAINTAINER }
2017-09-10 17:25:29 +05:30
condition(:reporter) { access_level >= GroupMember::REPORTER }
2016-09-29 09:46:39 +05:30
2019-02-15 15:39:39 +05:30
condition(:nested_groups_supported, scope: :global) { Group.supports_nested_objects? }
2018-03-17 18:26:18 +05:30
condition(:has_parent, scope: :subject) { @subject.has_parent? }
condition(:share_with_group_locked, scope: :subject) { @subject.share_with_group_lock? }
condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? }
condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) }
2017-09-10 17:25:29 +05:30
condition(:has_projects) do
2019-03-13 22:55:13 +05:30
GroupProjectsFinder.new(group: @subject, current_user: @user, options: { include_subgroups: true, only_owned: true }).execute.any?
2016-09-29 09:46:39 +05:30
end
2017-09-10 17:25:29 +05:30
with_options scope: :subject, score: 0
condition(:request_access_enabled) { @subject.request_access_enabled }
2019-07-07 11:18:12 +05:30
condition(:create_projects_disabled) do
@subject.project_creation_level == ::Gitlab::Access::NO_ONE_PROJECT_ACCESS
end
condition(:developer_maintainer_access) do
@subject.project_creation_level == ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS
end
2018-03-17 18:26:18 +05:30
rule { public_group }.policy do
enable :read_group
enable :read_list
enable :read_label
end
2017-09-10 17:25:29 +05:30
rule { logged_in_viewable }.enable :read_group
2018-03-17 18:26:18 +05:30
rule { guest }.policy do
enable :read_group
2019-02-15 15:39:39 +05:30
enable :read_list
2018-03-17 18:26:18 +05:30
enable :upload_file
enable :read_label
end
2019-02-15 15:39:39 +05:30
rule { admin }.enable :read_group
2018-05-09 12:01:36 +05:30
rule { has_projects }.policy do
2019-03-13 22:55:13 +05:30
enable :read_list
2018-05-09 12:01:36 +05:30
enable :read_label
2019-03-13 22:55:13 +05:30
enable :read_group
2018-05-09 12:01:36 +05:30
end
2017-09-10 17:25:29 +05:30
2018-03-17 18:26:18 +05:30
rule { has_access }.enable :read_namespace
2018-11-20 20:47:30 +05:30
rule { developer }.enable :admin_milestone
2018-03-27 19:54:05 +05:30
rule { reporter }.policy do
enable :admin_label
enable :admin_list
enable :admin_issue
end
2017-09-10 17:25:29 +05:30
2018-11-18 11:00:15 +05:30
rule { maintainer }.policy do
2017-09-10 17:25:29 +05:30
enable :create_projects
enable :admin_pipeline
enable :admin_build
2019-02-15 15:39:39 +05:30
enable :read_cluster
enable :add_cluster
enable :create_cluster
enable :update_cluster
enable :admin_cluster
2017-09-10 17:25:29 +05:30
end
rule { owner }.policy do
enable :admin_group
enable :admin_namespace
enable :admin_group_member
enable :change_visibility_level
2018-11-20 20:47:30 +05:30
enable :set_note_created_at
2017-09-10 17:25:29 +05:30
end
2018-11-08 19:23:39 +05:30
rule { can?(:read_nested_project_resources) }.policy do
enable :read_group_activity
enable :read_group_issues
enable :read_group_boards
enable :read_group_labels
enable :read_group_milestones
enable :read_group_merge_requests
end
rule { can?(:read_cross_project) & can?(:read_group) }.policy do
enable :read_nested_project_resources
end
2018-03-17 18:26:18 +05:30
rule { owner & nested_groups_supported }.enable :create_subgroup
2017-09-10 17:25:29 +05:30
rule { public_group | logged_in_viewable }.enable :view_globally
rule { default }.enable(:request_access)
rule { ~request_access_enabled }.prevent :request_access
rule { ~can?(:view_globally) }.prevent :request_access
rule { has_access }.prevent :request_access
2018-03-17 18:26:18 +05:30
rule { owner & (~share_with_group_locked | ~has_parent | ~parent_share_with_group_locked | can_change_parent_share_with_group_lock) }.enable :change_share_with_group_lock
2019-07-07 11:18:12 +05:30
rule { developer & developer_maintainer_access }.enable :create_projects
rule { create_projects_disabled }.prevent :create_projects
2017-09-10 17:25:29 +05:30
def access_level
return GroupMember::NO_ACCESS if @user.nil?
2019-07-31 22:56:46 +05:30
@access_level ||= lookup_access_level!
end
def lookup_access_level!
@subject.max_member_access_for_user(@user)
2017-09-10 17:25:29 +05:30
end
2016-09-29 09:46:39 +05:30
end