gitlab-org--gitlab-foss/app/finders/concerns/finder_methods.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

60 lines
1.7 KiB
Ruby
Raw Normal View History

# frozen_string_literal: true
module FinderMethods
# rubocop: disable CodeReuse/ActiveRecord
def find_by!(*args)
raise_not_found_unless_authorized execute.reorder(nil).find_by!(*args)
end
# rubocop: enable CodeReuse/ActiveRecord
# rubocop: disable CodeReuse/ActiveRecord
def find_by(*args)
if_authorized execute.reorder(nil).find_by(*args)
end
# rubocop: enable CodeReuse/ActiveRecord
# rubocop: disable CodeReuse/ActiveRecord
def find(*args)
raise_not_found_unless_authorized execute.reorder(nil).find(*args)
end
# rubocop: enable CodeReuse/ActiveRecord
private
def raise_not_found_unless_authorized(result)
result = if_authorized(result)
unless result
# This fetches the model from the `ActiveRecord::Relation` but does not
# actually execute the query.
model = execute.model
raise ActiveRecord::RecordNotFound, "Couldn't find #{model}"
end
result
end
def if_authorized(result)
# Return the result if the finder does not perform authorization checks.
# this is currently the case in the `MilestoneFinder`
return result unless respond_to?(:current_user, true)
result if can_read_object?(result)
end
def can_read_object?(object)
# When there's no policy, we'll allow the read, this is for example the case
# for Todos
return true unless DeclarativePolicy.has_policy?(object)
Ability.allowed?(current_user, :"read_#{to_ability_name(object)}", object)
end
def to_ability_name(object)
return object.to_ability_name if object.respond_to?(:to_ability_name)
# Not all objects define `#to_ability_name`, so attempt to derive it:
object.model_name.singular
end
end