Rename :full_private_access policy ability to :read_all_resources

5148c8c4 · Diego Louzán · 6fca5c53 · 5148c8c4 · 5148c8c4 · 5148c8c4
Commit 5148c8c4 authored Oct 23, 2019 by Diego Louzán
8 changed files
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1454,7 +1454,7 @@ class User < ApplicationRecord
  # Does the user have access to all private groups & projects?
  # Overridden in EE to also check auditor?
  def full_private_access?
-    can?(:full_private_access)
+    can?(:read_all_resources)
  end
  def update_two_factor_requirement

--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -36,11 +36,11 @@ class BasePolicy < DeclarativePolicy::Base
    ::Gitlab::ExternalAuthorization.perform_check?
  end
-  rule { external_authorization_enabled & ~can?(:full_private_access) }.policy do
+  rule { external_authorization_enabled & ~can?(:read_all_resources) }.policy do
    prevent :read_cross_project
  end
-  rule { admin }.enable :full_private_access
+  rule { admin }.enable :read_all_resources
  rule { default }.enable :read_cross_project
 end

--- a/app/policies/personal_snippet_policy.rb
+++ b/app/policies/personal_snippet_policy.rb
@@ -30,5 +30,5 @@ class PersonalSnippetPolicy < BasePolicy
  rule { can?(:create_note) }.enable :award_emoji
-  rule { can?(:full_private_access) }.enable :read_personal_snippet
+  rule { can?(:read_all_resources) }.enable :read_personal_snippet
 end
--- a/app/policies/project_snippet_policy.rb
+++ b/app/policies/project_snippet_policy.rb
@@ -28,7 +28,7 @@ class ProjectSnippetPolicy < BasePolicy
    all?(private_snippet | (internal_snippet & external_user),
         ~project.guest,
         ~is_author,
-         ~can?(:full_private_access))
+         ~can?(:read_all_resources))
  end.prevent :read_project_snippet
  rule { internal_snippet & ~is_author & ~admin }.policy do

--- a/ee/app/policies/ee/base_policy.rb
+++ b/ee/app/policies/ee/base_policy.rb
@@ -20,7 +20,7 @@ module EE
      with_scope :global
      condition(:license_block) { License.block_changes? }
-      rule { auditor }.enable :full_private_access
+      rule { auditor }.enable :read_all_resources
    end
  end
 end
--- a/ee/spec/models/issue_spec.rb
+++ b/ee/spec/models/issue_spec.rb
@@ -144,7 +144,7 @@ describe Issue do
    describe 'when a user cannot read cross project' do
      it 'only returns issues within the same project' do
-        expect(Ability).to receive(:allowed?).with(user, :full_private_access, :global).and_call_original
+        expect(Ability).to receive(:allowed?).with(user, :read_all_resources, :global).and_call_original
        expect(Ability).to receive(:allowed?).with(user, :read_cross_project).and_return(false)
        expect(authorized_issue_a.related_issues(user))

--- a/ee/spec/policies/base_policy_spec.rb
+++ b/ee/spec/policies/base_policy_spec.rb
@@ -21,9 +21,9 @@ describe BasePolicy, :do_not_mock_admin_mode do
    end
  end
-  describe 'full private access' do
+  describe 'read all resources' do
    it 'allows auditors' do
-      is_expected.to be_allowed(:full_private_access)
+      is_expected.to be_allowed(:read_all_resources)
    end
  end
 end
--- a/spec/policies/base_policy_spec.rb
+++ b/spec/policies/base_policy_spec.rb
@@ -60,7 +60,7 @@ describe BasePolicy, :do_not_mock_admin_mode do
    subject { described_class.new(current_user, nil) }
-    it { is_expected.not_to be_allowed(:full_private_access) }
+    it { is_expected.not_to be_allowed(:read_all_resources) }
    context 'for admins' do
      let(:current_user) { build(:admin) }
@@ -68,11 +68,11 @@ describe BasePolicy, :do_not_mock_admin_mode do
      it 'allowed when in admin mode' do
        enable_admin_mode!(current_user)
-        is_expected.to be_allowed(:full_private_access)
+        is_expected.to be_allowed(:read_all_resources)
      end
      it 'prevented when not in admin mode' do
-        is_expected.not_to be_allowed(:full_private_access)
+        is_expected.not_to be_allowed(:read_all_resources)
      end
    end
  end