Commit ab4bb67f authored by Grzegorz Bizon's avatar Grzegorz Bizon

Merge branch '7000-introduce-PolicyCheckable' into 'master'

Add PolicyCheckable concern for things passing to policy check

Closes #7000

See merge request gitlab-org/gitlab-ee!6641
parents 0e92a772 c6dbd435
class DeployToken < ActiveRecord::Base class DeployToken < ActiveRecord::Base
include Expirable include Expirable
include TokenAuthenticatable include TokenAuthenticatable
include PolicyActor
add_authentication_token_field :token add_authentication_token_field :token
prepend EE::DeployToken
AVAILABLE_SCOPES = %i(read_repository read_registry).freeze AVAILABLE_SCOPES = %i(read_repository read_registry).freeze
GITLAB_DEPLOY_TOKEN_NAME = 'gitlab-deploy-token'.freeze GITLAB_DEPLOY_TOKEN_NAME = 'gitlab-deploy-token'.freeze
...@@ -60,10 +59,6 @@ class DeployToken < ActiveRecord::Base ...@@ -60,10 +59,6 @@ class DeployToken < ActiveRecord::Base
write_attribute(:expires_at, value.presence || Forever.date) write_attribute(:expires_at, value.presence || Forever.date)
end end
def admin?
false
end
private private
def ensure_at_least_one_scope def ensure_at_least_one_scope
......
...@@ -22,14 +22,4 @@ class BasePolicy < DeclarativePolicy::Base ...@@ -22,14 +22,4 @@ class BasePolicy < DeclarativePolicy::Base
# This is prevented in some cases in `gitlab-ee` # This is prevented in some cases in `gitlab-ee`
rule { default }.enable :read_cross_project rule { default }.enable :read_cross_project
# EE Extensions
with_scope :user
condition(:auditor, score: 0) { @user&.auditor? }
with_scope :user
condition(:support_bot, score: 0) { @user&.support_bot? }
with_scope :global
condition(:license_block) { License.block_changes? }
end end
# frozen_string_literal: true
# Include this module if we want to pass something else than the user to
# check policies. This defines several methods which the policy checker
# would call and check.
module PolicyActor
extend ActiveSupport::Concern
prepend EE::PolicyActor
def blocked?
false
end
def admin?
false
end
def external?
false
end
def internal?
false
end
def access_locked?
false
end
def required_terms_not_accepted?
false
end
def can_create_group
false
end
end
...@@ -45,6 +45,7 @@ module Gitlab ...@@ -45,6 +45,7 @@ module Gitlab
#{config.root}/app/models/members #{config.root}/app/models/members
#{config.root}/app/models/project_services #{config.root}/app/models/project_services
#{config.root}/app/workers/concerns #{config.root}/app/workers/concerns
#{config.root}/app/policies/concerns
#{config.root}/app/services/concerns #{config.root}/app/services/concerns
#{config.root}/app/serializers/concerns #{config.root}/app/serializers/concerns
#{config.root}/app/finders/concerns #{config.root}/app/finders/concerns
......
...@@ -10,6 +10,15 @@ module EE ...@@ -10,6 +10,15 @@ module EE
rule { external_authorization_enabled & ~admin & ~auditor }.policy do rule { external_authorization_enabled & ~admin & ~auditor }.policy do
prevent :read_cross_project prevent :read_cross_project
end end
with_scope :user
condition(:auditor, score: 0) { @user&.auditor? }
with_scope :user
condition(:support_bot, score: 0) { @user&.support_bot? }
with_scope :global
condition(:license_block) { License.block_changes? }
end end
end end
end end
# frozen_string_literal: true
module EE module EE
module DeployToken module PolicyActor
def auditor? def auditor?
false false
end end
......
# frozen_string_literal: true
require 'spec_helper'
describe PolicyActor do
it 'implements all the methods from user' do
methods = subject.instance_methods
# User.instance_methods do not return all methods until an instance is
# initialized. So here we just use an instance
expect(build(:user).methods).to include(*methods)
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment