debian-mirror-gitlab/app/models/ability.rb

333 lines
7.9 KiB
Ruby
Raw Normal View History

2014-09-02 18:07:02 +05:30
class Ability
class << self
def allowed(user, subject)
return not_auth_abilities(user, subject) if user.nil?
return [] unless user.kind_of?(User)
return [] if user.blocked?
case subject.class.name
when "Project" then project_abilities(user, subject)
when "Issue" then issue_abilities(user, subject)
when "Note" then note_abilities(user, subject)
when "ProjectSnippet" then project_snippet_abilities(user, subject)
when "PersonalSnippet" then personal_snippet_abilities(user, subject)
when "MergeRequest" then merge_request_abilities(user, subject)
when "Group" then group_abilities(user, subject)
when "Namespace" then namespace_abilities(user, subject)
2015-04-26 12:48:37 +05:30
when "GroupMember" then group_member_abilities(user, subject)
2014-09-02 18:07:02 +05:30
else []
end.concat(global_abilities(user))
end
# List of possible abilities
# for non-authenticated user
def not_auth_abilities(user, subject)
project = if subject.kind_of?(Project)
subject
elsif subject.respond_to?(:project)
subject.project
else
nil
end
if project && project.public?
2015-09-11 14:41:01 +05:30
rules = [
2014-09-02 18:07:02 +05:30
:read_project,
:read_wiki,
:read_issue,
2015-09-11 14:41:01 +05:30
:read_label,
2014-09-02 18:07:02 +05:30
:read_milestone,
:read_project_snippet,
2015-04-26 12:48:37 +05:30
:read_project_member,
2014-09-02 18:07:02 +05:30
:read_merge_request,
:read_note,
:download_code
]
2015-09-11 14:41:01 +05:30
rules - project_disabled_features_rules(project)
2014-09-02 18:07:02 +05:30
else
group = if subject.kind_of?(Group)
subject
elsif subject.respond_to?(:group)
subject.group
else
nil
end
if group && group.public_profile?
[:read_group]
else
[]
end
end
end
def global_abilities(user)
rules = []
rules << :create_group if user.can_create_group
rules
end
def project_abilities(user, project)
rules = []
key = "/user/#{user.id}/project/#{project.id}"
2015-09-11 14:41:01 +05:30
2014-09-02 18:07:02 +05:30
RequestStore.store[key] ||= begin
team = project.team
# Rules based on role in project
if team.master?(user)
2015-04-26 12:48:37 +05:30
rules.push(*project_master_rules)
2014-09-02 18:07:02 +05:30
elsif team.developer?(user)
2015-04-26 12:48:37 +05:30
rules.push(*project_dev_rules)
2014-09-02 18:07:02 +05:30
elsif team.reporter?(user)
2015-04-26 12:48:37 +05:30
rules.push(*project_report_rules)
2014-09-02 18:07:02 +05:30
elsif team.guest?(user)
2015-04-26 12:48:37 +05:30
rules.push(*project_guest_rules)
2014-09-02 18:07:02 +05:30
end
if project.public? || project.internal?
2015-04-26 12:48:37 +05:30
rules.push(*public_project_rules)
2014-09-02 18:07:02 +05:30
end
if project.owner == user || user.admin?
2015-04-26 12:48:37 +05:30
rules.push(*project_admin_rules)
2014-09-02 18:07:02 +05:30
end
if project.group && project.group.has_owner?(user)
2015-04-26 12:48:37 +05:30
rules.push(*project_admin_rules)
2014-09-02 18:07:02 +05:30
end
if project.archived?
rules -= project_archived_rules
end
2015-09-11 14:41:01 +05:30
rules - project_disabled_features_rules(project)
2014-09-02 18:07:02 +05:30
end
end
def public_project_rules
project_guest_rules + [
:download_code,
:fork_project
]
end
def project_guest_rules
[
:read_project,
:read_wiki,
:read_issue,
2015-09-11 14:41:01 +05:30
:read_label,
2014-09-02 18:07:02 +05:30
:read_milestone,
:read_project_snippet,
2015-04-26 12:48:37 +05:30
:read_project_member,
2014-09-02 18:07:02 +05:30
:read_merge_request,
:read_note,
2015-09-11 14:41:01 +05:30
:create_project,
:create_issue,
:create_note
2014-09-02 18:07:02 +05:30
]
end
def project_report_rules
project_guest_rules + [
:download_code,
:fork_project,
2015-09-11 14:41:01 +05:30
:create_project_snippet,
:update_issue,
:admin_issue,
:admin_label
2014-09-02 18:07:02 +05:30
]
end
def project_dev_rules
project_report_rules + [
2015-09-11 14:41:01 +05:30
:admin_merge_request,
:create_merge_request,
:create_wiki,
2014-09-02 18:07:02 +05:30
:push_code
]
end
def project_archived_rules
[
2015-09-11 14:41:01 +05:30
:create_merge_request,
2014-09-02 18:07:02 +05:30
:push_code,
:push_code_to_protected_branches,
2015-09-11 14:41:01 +05:30
:update_merge_request,
2014-09-02 18:07:02 +05:30
:admin_merge_request
]
end
def project_master_rules
project_dev_rules + [
:push_code_to_protected_branches,
2015-09-11 14:41:01 +05:30
:update_project_snippet,
:update_merge_request,
2014-09-02 18:07:02 +05:30
:admin_milestone,
:admin_project_snippet,
2015-04-26 12:48:37 +05:30
:admin_project_member,
2014-09-02 18:07:02 +05:30
:admin_merge_request,
:admin_note,
:admin_wiki,
:admin_project
]
end
def project_admin_rules
project_master_rules + [
:change_namespace,
:change_visibility_level,
:rename_project,
:remove_project,
:archive_project
]
end
2015-09-11 14:41:01 +05:30
def project_disabled_features_rules(project)
rules = []
unless project.issues_enabled
rules += named_abilities('issue')
end
unless project.merge_requests_enabled
rules += named_abilities('merge_request')
end
unless project.issues_enabled or project.merge_requests_enabled
rules += named_abilities('label')
rules += named_abilities('milestone')
end
unless project.snippets_enabled
rules += named_abilities('project_snippet')
end
unless project.wiki_enabled
rules += named_abilities('wiki')
end
rules
end
2015-04-26 12:48:37 +05:30
def group_abilities(user, group)
2014-09-02 18:07:02 +05:30
rules = []
if user.admin? || group.users.include?(user) || ProjectsFinder.new.execute(user, group: group).any?
rules << :read_group
end
# Only group masters and group owners can create new projects in group
if group.has_master?(user) || group.has_owner?(user) || user.admin?
2015-04-26 12:48:37 +05:30
rules.push(*[
2014-09-02 18:07:02 +05:30
:create_projects,
2015-04-26 12:48:37 +05:30
])
2014-09-02 18:07:02 +05:30
end
2015-04-26 12:48:37 +05:30
# Only group owner and administrators can admin group
2014-09-02 18:07:02 +05:30
if group.has_owner?(user) || user.admin?
2015-04-26 12:48:37 +05:30
rules.push(*[
:admin_group,
2015-09-11 14:41:01 +05:30
:admin_namespace,
:admin_group_member
2015-04-26 12:48:37 +05:30
])
2014-09-02 18:07:02 +05:30
end
rules.flatten
end
2015-04-26 12:48:37 +05:30
def namespace_abilities(user, namespace)
2014-09-02 18:07:02 +05:30
rules = []
2015-04-26 12:48:37 +05:30
# Only namespace owner and administrators can admin it
2014-09-02 18:07:02 +05:30
if namespace.owner == user || user.admin?
2015-04-26 12:48:37 +05:30
rules.push(*[
2014-09-02 18:07:02 +05:30
:create_projects,
2015-04-26 12:48:37 +05:30
:admin_namespace
])
2014-09-02 18:07:02 +05:30
end
rules.flatten
end
2015-09-11 14:41:01 +05:30
[:issue, :merge_request].each do |name|
2014-09-02 18:07:02 +05:30
define_method "#{name}_abilities" do |user, subject|
2015-09-11 14:41:01 +05:30
rules = []
if subject.author == user || (subject.respond_to?(:assignee) && subject.assignee == user)
rules += [
2014-09-02 18:07:02 +05:30
:"read_#{name}",
2015-09-11 14:41:01 +05:30
:"update_#{name}",
2014-09-02 18:07:02 +05:30
]
2015-09-11 14:41:01 +05:30
end
rules += project_abilities(user, subject.project)
rules
end
end
[:note, :project_snippet, :personal_snippet].each do |name|
define_method "#{name}_abilities" do |user, subject|
rules = []
if subject.author == user
rules += [
2014-09-02 18:07:02 +05:30
:"read_#{name}",
2015-09-11 14:41:01 +05:30
:"update_#{name}",
:"admin_#{name}"
2014-09-02 18:07:02 +05:30
]
end
2015-09-11 14:41:01 +05:30
if subject.respond_to?(:project) && subject.project
rules += project_abilities(user, subject.project)
end
rules
2014-09-02 18:07:02 +05:30
end
end
2015-04-26 12:48:37 +05:30
def group_member_abilities(user, subject)
2014-09-02 18:07:02 +05:30
rules = []
target_user = subject.user
group = subject.group
2015-09-11 14:41:01 +05:30
can_manage = group_abilities(user, group).include?(:admin_group_member)
2014-09-02 18:07:02 +05:30
if can_manage && (user != target_user)
2015-09-11 14:41:01 +05:30
rules << :update_group_member
2015-04-26 12:48:37 +05:30
rules << :destroy_group_member
2014-09-02 18:07:02 +05:30
end
2015-09-11 14:41:01 +05:30
2014-09-02 18:07:02 +05:30
if !group.last_owner?(user) && (can_manage || (user == target_user))
2015-04-26 12:48:37 +05:30
rules << :destroy_group_member
2014-09-02 18:07:02 +05:30
end
2015-09-11 14:41:01 +05:30
2014-09-02 18:07:02 +05:30
rules
end
2015-04-26 12:48:37 +05:30
def abilities
@abilities ||= begin
abilities = Six.new
abilities << self
abilities
end
end
2015-09-11 14:41:01 +05:30
private
def named_abilities(name)
[
:"read_#{name}",
:"create_#{name}",
:"update_#{name}",
:"admin_#{name}"
]
end
2014-09-02 18:07:02 +05:30
end
end