Commit 268157f9 authored by http://jneen.net/'s avatar http://jneen.net/

port the EE extensions to policies to the new framework

parent 9e28aca1
......@@ -10,4 +10,14 @@ class BasePolicy < DeclarativePolicy::Base
with_options scope: :user, score: 0
condition(:can_create_group) { @user&.can_create_group }
# EE Extensions
with_scope :user
condition(:auditor, score: 0) { @user&.auditor? }
with_scope :user
condition(:support_bot, score: 0) { @user&.support_bot? }
with_scope :global
condition(:license_block) { License.block_changes? }
end
module EE
module GroupPolicy
def rules
raise NotImplementedError unless defined?(super)
extend ActiveSupport::Concern
super
prepended do
with_scope :subject
condition(:ldap_synced) { @subject.ldap_synced? }
return unless @user
rule { ldap_synced }.prevent :admin_group_member
if @subject.ldap_synced?
cannot! :admin_group_member
can! :override_group_member if @user.admin? || @subject.has_owner?(@user)
rule { ldap_synced & admin }.policy do
enable :override_group_member
enable :update_group_member
end
rule { ldap_synced & owner }.policy do
enable :override_group_member
enable :update_group_member
end
rule { auditor }.enable :read_group
end
end
end
module EE
module ProjectPolicy
def rules
super
extend ActiveSupport::Concern
guest_access! if user.support_bot?
end
prepended do
with_scope :subject
condition(:service_desk_enabled) { @subject.service_desk_enabled? }
with_scope :subject
condition(:related_issues_disabled) { !@subject.feature_available?(:related_issues) }
with_scope :subject
condition(:deploy_board_disabled) { !@subject.feature_available?(:deploy_board) }
with_scope :global
condition(:is_development) { Rails.env.development? }
rule { admin }.enable :change_repository_storage
rule { support_bot }.enable :guest_access
rule { support_bot & ~service_desk_enabled }.policy do
prevent :create_note
prevent :read_project
end
def disabled_features!
raise NotImplementedError unless defined?(super)
rule { license_block }.policy do
prevent :create_issue
prevent :create_merge_request
prevent :push_code
end
rule { related_issues_disabled }.policy do
prevent :read_issue_link
prevent :admin_issue_link
end
super
rule { can?(:guest_access) }.enable :read_issue_link
if License.block_changes?
cannot! :create_issue
cannot! :create_merge_request
cannot! :push_code
cannot! :push_code_to_protected_branches
rule { can?(:reporter_access) }.policy do
enable :admin_board
enable :read_deploy_board
enable :admin_issue_link
end
if @user&.support_bot? && !@subject.service_desk_enabled?
cannot! :create_note
cannot! :read_project
rule { can?(:developer_access) }.enable :admin_board
rule { deploy_board_disabled & ~is_development }.prevent :read_deploy_board
rule { can?(:master_access) }.policy do
enable :push_code_to_protected_branches
enable :admin_path_locks
end
unless project.feature_available?(:related_issues)
cannot! :read_issue_link
cannot! :admin_issue_link
rule { auditor }.policy do
enable :public_user_access
prevent :request_access
enable :read_build
enable :read_environment
enable :read_deployment
enable :read_pages
end
rule { ~can?(:push_code) }.prevent :push_code_to_protected_branches
end
end
end
......@@ -19,4 +19,12 @@ class GroupMemberPolicy < BasePolicy
rule { is_target_user }.policy do
enable :destroy_group_member
end
## EE extensions
condition(:ldap, score: 0) { @subject.ldap? }
condition(:override, score: 0) { @subject.override? }
rule { ~ldap }.prevent :override_group_member
rule { ldap & ~override }.prevent :update_group_member
end
class GroupPolicy < BasePolicy
prepend EE::GroupPolicy
desc "Group is public"
with_options scope: :subject, score: 0
condition(:public_group) { @subject.public? }
......
class ProjectPolicy < BasePolicy
prepend EE::ProjectPolicy
def self.create_read_update_admin(name)
[
:"create_#{name}",
......
......@@ -27,6 +27,7 @@ class ProjectSnippetPolicy < BasePolicy
all?(private_snippet | (internal & external_user),
~project.guest,
~admin,
~auditor,
~is_author)
end.prevent :read_project_snippet
......@@ -42,4 +43,8 @@ class ProjectSnippetPolicy < BasePolicy
enable :update_project_snippet
enable :admin_project_snippet
end
# EE Extensions
rule { auditor }.enable :read_project_snippet
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment