port issues to Issu{able,e}Policy

4d904bf3 · http://jneen.net/ · 1ca9b335 · 4d904bf3 · 4d904bf3 · 4d904bf3
Commit 4d904bf3 authored Aug 16, 2016 by http://jneen.net/
5 changed files
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -72,7 +72,7 @@ class Ability
      case subject
      when CommitStatus then commit_status_abilities(user, subject)
      when Project then ProjectPolicy.abilities(user, subject)
-      when Issue then issue_abilities(user, subject)
+      when Issue then IssuePolicy.abilities(user, subject)
      when Note then note_abilities(user, subject)
      when ProjectSnippet then project_snippet_abilities(user, subject)
      when PersonalSnippet then personal_snippet_abilities(user, subject)
@@ -89,7 +89,7 @@ class Ability
    end

    # List of possible abilities for anonymous user
-    def anonymous_abilities(user, subject)
+    def anonymous_abilities(subject)
      if subject.is_a?(PersonalSnippet)
        anonymous_personal_snippet_abilities(subject)
      elsif subject.is_a?(ProjectSnippet)
@@ -98,6 +98,8 @@ class Ability
        anonymous_commit_status_abilities(subject)
      elsif subject.is_a?(Project)
        ProjectPolicy.abilities(nil, subject)
+      elsif subject.is_a?(Issue)
+        IssuePolicy.abilities(nil, subject)
      elsif subject.respond_to?(:project)
        ProjectPolicy.abilities(nil, subject.project)
      elsif subject.is_a?(Group) || subject.respond_to?(:group)

--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -3,6 +3,10 @@ class BasePolicy
    new(user, subject).abilities
  end

+  def self.class_for(subject)
+    "#{subject.class.name}Policy".constantize
+  end
+
  attr_reader :user, :subject
  def initialize(user, subject)
    @user = user
@@ -18,8 +22,12 @@ class BasePolicy
    collect_rules { anonymous_rules }
  end

-  def generate!
-    raise 'abstract'
+  def anonymous_rules
+    rules
+  end
+
+  def delegate!(new_subject)
+    @can.merge(BasePolicy.class_for(new_subject).abilities(@user, new_subject))
  end

  def can!(*rules)

--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
+class IssuablePolicy < BasePolicy
+  def action_name
+    @subject.class.name.underscore
+  end
+
+  def rules
+    if @user && (@subject.author == @user || @subject.assignee == @user)
+      can! :"read_#{action_name}"
+      can! :"update_#{action_name}"
+    end
+
+    delegate! @subject.project
+  end
+end
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
+class IssuePolicy < IssuablePolicy
+  def issue
+    @subject
+  end
+
+  def rules
+    super
+
+    if @subject.confidential? && !can_read_confidential?
+      cannot! :read_issue
+      cannot! :admin_issue
+      cannot! :update_issue
+      cannot! :read_issue
+    end
+  end
+
+  private
+
+  def can_read_confidential?
+    return false unless @user
+    return true if @user.admin?
+    return true if @subject.author == @user
+    return true if @subject.assignee == @user
+    return true if @subject.project.team.member?(@user, Gitlab::Access::REPORTER)
+    false
+  end
+end
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -203,6 +203,9 @@ class ProjectPolicy < BasePolicy
    can! :read_container_image
    can! :download_code

+    # NB: may be overridden by IssuePolicy
+    can! :read_issue
+
    # Allow to read builds by anonymous user if guests are allowed
    can! :read_build if project.public_builds?