Commit 5ae28ca5 authored by Toon Claes's avatar Toon Claes

Add User#full_private_access? to check if user has Private access

In CE only the admin has access to all private groups & projects. In EE also an
auditor can have full private access.

To overcome merge conflicts, or accidental incorrect access rights, abstract
this out in `User#full_private_access?`.

`User#admin?` now only should be used for admin-only features. For private
access-related features `User#full_private_access?` should be used.

Backported from gitlab-org/gitlab-ee!2199
parent e76764ed
...@@ -41,7 +41,7 @@ class IssuesFinder < IssuableFinder ...@@ -41,7 +41,7 @@ class IssuesFinder < IssuableFinder
def self.not_restricted_by_confidentiality(user) def self.not_restricted_by_confidentiality(user)
return Issue.where('issues.confidential IS NOT TRUE') if user.blank? return Issue.where('issues.confidential IS NOT TRUE') if user.blank?
return Issue.all if user.admin_or_auditor? return Issue.all if user.full_private_access?
Issue.where(' Issue.where('
issues.confidential IS NOT TRUE issues.confidential IS NOT TRUE
......
...@@ -62,7 +62,7 @@ module Elastic ...@@ -62,7 +62,7 @@ module Elastic
end end
def self.confidentiality_filter(query_hash, current_user) def self.confidentiality_filter(query_hash, current_user)
return query_hash if current_user && current_user.admin_or_auditor? return query_hash if current_user && current_user.full_private_access?
filter = if current_user filter = if current_user
{ {
......
...@@ -65,7 +65,7 @@ module Elastic ...@@ -65,7 +65,7 @@ module Elastic
end end
def self.confidentiality_filter(query_hash, current_user) def self.confidentiality_filter(query_hash, current_user)
return query_hash if current_user && current_user.admin_or_auditor? return query_hash if current_user && current_user.full_private_access?
filter = { filter = {
bool: { bool: {
......
...@@ -59,7 +59,7 @@ module Elastic ...@@ -59,7 +59,7 @@ module Elastic
end end
def self.filter(query_hash, user) def self.filter(query_hash, user)
return query_hash if user && user.admin_or_auditor? return query_hash if user && user.full_private_access?
filter = if user filter = if user
{ {
......
...@@ -52,10 +52,6 @@ module EE ...@@ -52,10 +52,6 @@ module EE
license_allows_auditor_user? && self.auditor license_allows_auditor_user? && self.auditor
end end
def admin_or_auditor?
admin? || auditor?
end
def access_level def access_level
if auditor? if auditor?
:auditor :auditor
...@@ -73,8 +69,8 @@ module EE ...@@ -73,8 +69,8 @@ module EE
end end
# Does the user have access to all private groups & projects? # Does the user have access to all private groups & projects?
def has_full_private_access? def full_private_access?
admin_or_auditor? super || auditor?
end end
def remember_me! def remember_me!
......
...@@ -96,7 +96,7 @@ class ProjectFeature < ActiveRecord::Base ...@@ -96,7 +96,7 @@ class ProjectFeature < ActiveRecord::Base
when DISABLED when DISABLED
false false
when PRIVATE when PRIVATE
user && (project.team.member?(user) || user.admin_or_auditor?) user && (project.team.member?(user) || user.full_private_access?)
when ENABLED when ENABLED
true true
else else
......
...@@ -1016,7 +1016,8 @@ class User < ActiveRecord::Base ...@@ -1016,7 +1016,8 @@ class User < ActiveRecord::Base
end end
# Does the user have access to all private groups & projects? # Does the user have access to all private groups & projects?
def has_full_private_access? # Overridden in EE to also check auditor?
def full_private_access?
admin? admin?
end end
......
...@@ -22,7 +22,7 @@ module Search ...@@ -22,7 +22,7 @@ module Search
def elastic_projects def elastic_projects
@elastic_projects ||= @elastic_projects ||=
if current_user.try(:admin_or_auditor?) if current_user&.full_private_access?
:any :any
elsif current_user elsif current_user
current_user.authorized_projects.pluck(:id) current_user.authorized_projects.pluck(:id)
......
---
title: Add User#full_private_access? to check if user has access to all private groups & projects
merge_request: 12373
author:
...@@ -28,7 +28,7 @@ module Gitlab ...@@ -28,7 +28,7 @@ module Gitlab
def levels_for_user(user = nil) def levels_for_user(user = nil)
return [PUBLIC] unless user return [PUBLIC] unless user
if user.has_full_private_access? if user.full_private_access?
[PRIVATE, INTERNAL, PUBLIC] [PRIVATE, INTERNAL, PUBLIC]
elsif user.external? elsif user.external?
[PUBLIC] [PUBLIC]
......
...@@ -66,11 +66,11 @@ describe EE::User, models: true do ...@@ -66,11 +66,11 @@ describe EE::User, models: true do
end end
end end
describe '#has_full_private_access?' do describe '#full_private_access?' do
it 'returns true for auditor user' do it 'returns true for auditor user' do
user = build(:user, :auditor) user = build(:user, :auditor)
expect(user.has_full_private_access?).to be_truthy expect(user.full_private_access?).to be_truthy
end end
end end
end end
...@@ -1801,17 +1801,17 @@ describe User, models: true do ...@@ -1801,17 +1801,17 @@ describe User, models: true do
end end
end end
describe '#has_full_private_access?' do describe '#full_private_access?' do
it 'returns false for regular user' do it 'returns false for regular user' do
user = build(:user) user = build(:user)
expect(user.has_full_private_access?).to be_falsy expect(user.full_private_access?).to be_falsy
end end
it 'returns true for admin user' do it 'returns true for admin user' do
user = build(:user, :admin) user = build(:user, :admin)
expect(user.has_full_private_access?).to be_truthy expect(user.full_private_access?).to be_truthy
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment