gitlab-org--gitlab-foss/app/models/ability.rb

class Ability
  class << self
    def allowed(user, subject)
      return not_auth_abilities(user, subject) if user.nil?
      return [] unless user.kind_of?(User)
      return [] if user.blocked?

      case subject.class.name
      when "Project" then project_abilities(user, subject)
      when "Issue" then issue_abilities(user, subject)
      when "Note" then note_abilities(user, subject)
      when "ProjectSnippet" then project_snippet_abilities(user, subject)
      when "PersonalSnippet" then personal_snippet_abilities(user, subject)
      when "MergeRequest" then merge_request_abilities(user, subject)
      when "Group" then group_abilities(user, subject)
      when "Namespace" then namespace_abilities(user, subject)
      when "GroupMember" then group_member_abilities(user, subject)
      else []
      end.concat(global_abilities(user))
    end

    # List of possible abilities
    # for non-authenticated user
    def not_auth_abilities(user, subject)
      project = if subject.kind_of?(Project)
                  subject
                elsif subject.respond_to?(:project)
                  subject.project
                else
                  nil
                end

      if project && project.public?
        [
          :read_project,
          :read_wiki,
          :read_issue,
          :read_milestone,
          :read_project_snippet,
          :read_project_member,
          :read_merge_request,
          :read_note,
          :download_code
        ]
      else
        group = if subject.kind_of?(Group)
                  subject
                elsif subject.respond_to?(:group)
                  subject.group
                else
                  nil
                end

        if group && group.public_profile?
          [:read_group]
        else
          []
        end
      end
    end

    def global_abilities(user)
      rules = []
      rules << :create_group if user.can_create_group
      rules
    end

    def project_abilities(user, project)
      rules = []
      key = "/user/#{user.id}/project/#{project.id}"
      RequestStore.store[key] ||= begin
        team = project.team

        # Rules based on role in project
        if team.master?(user)
          rules.push(*project_master_rules)

        elsif team.developer?(user)
          rules.push(*project_dev_rules)

        elsif team.reporter?(user)
          rules.push(*project_report_rules)

        elsif team.guest?(user)
          rules.push(*project_guest_rules)
        end

        if project.public? || project.internal?
          rules.push(*public_project_rules)
        end

        if project.owner == user || user.admin?
          rules.push(*project_admin_rules)
        end

        if project.group && project.group.has_owner?(user)
          rules.push(*project_admin_rules)
        end

        if project.archived?
          rules -= project_archived_rules
        end

        rules
      end
    end

    def public_project_rules
      project_guest_rules + [
        :download_code,
        :fork_project
      ]
    end

    def project_guest_rules
      [
        :read_project,
        :read_wiki,
        :read_issue,
        :read_milestone,
        :read_project_snippet,
        :read_project_member,
        :read_merge_request,
        :read_note,
        :write_project,
        :write_issue,
        :write_note
      ]
    end

    def project_report_rules
      project_guest_rules + [
        :download_code,
        :fork_project,
        :write_project_snippet
      ]
    end

    def project_dev_rules
      project_report_rules + [
        :write_merge_request,
        :write_wiki,
        :modify_issue,
        :admin_issue,
        :admin_label,
        :push_code
      ]
    end

    def project_archived_rules
      [
        :write_merge_request,
        :push_code,
        :push_code_to_protected_branches,
        :modify_merge_request,
        :admin_merge_request
      ]
    end

    def project_master_rules
      project_dev_rules + [
        :push_code_to_protected_branches,
        :modify_issue,
        :modify_project_snippet,
        :modify_merge_request,
        :admin_issue,
        :admin_milestone,
        :admin_project_snippet,
        :admin_project_member,
        :admin_merge_request,
        :admin_note,
        :admin_wiki,
        :admin_project
      ]
    end

    def project_admin_rules
      project_master_rules + [
        :change_namespace,
        :change_visibility_level,
        :rename_project,
        :remove_project,
        :archive_project
      ]
    end

    def group_abilities(user, group)
      rules = []

      if user.admin? || group.users.include?(user) || ProjectsFinder.new.execute(user, group: group).any?
        rules << :read_group
      end

      # Only group masters and group owners can create new projects in group
      if group.has_master?(user) || group.has_owner?(user) || user.admin?
        rules.push(*[
          :create_projects,
        ])
      end

      # Only group owner and administrators can admin group
      if group.has_owner?(user) || user.admin?
        rules.push(*[
          :admin_group,
          :admin_namespace
        ])
      end

      rules.flatten
    end

    def namespace_abilities(user, namespace)
      rules = []

      # Only namespace owner and administrators can admin it
      if namespace.owner == user || user.admin?
        rules.push(*[
          :create_projects,
          :admin_namespace
        ])
      end

      rules.flatten
    end

    [:issue, :note, :project_snippet, :personal_snippet, :merge_request].each do |name|
      define_method "#{name}_abilities" do |user, subject|
        if subject.author == user || user.is_admin?
          rules = [
            :"read_#{name}",
            :"write_#{name}",
            :"modify_#{name}",
            :"admin_#{name}"
          ]
          rules.push(:change_visibility_level) if subject.is_a?(Snippet)
          rules
        elsif subject.respond_to?(:assignee) && subject.assignee == user
          [
            :"read_#{name}",
            :"write_#{name}",
            :"modify_#{name}",
          ]
        else
          if subject.respond_to?(:project)
            project_abilities(user, subject.project)
          else
            []
          end
        end
      end
    end

    def group_member_abilities(user, subject)
      rules = []
      target_user = subject.user
      group = subject.group
      can_manage = group_abilities(user, group).include?(:admin_group)
      if can_manage && (user != target_user)
        rules << :modify_group_member
        rules << :destroy_group_member
      end
      if !group.last_owner?(user) && (can_manage || (user == target_user))
        rules << :destroy_group_member
      end
      rules
    end

    def abilities
      @abilities ||= begin
                       abilities = Six.new
                       abilities << self
                       abilities
                     end
    end
  end
end
init commit 2011-10-08 17:36:38 -04:00			`class Ability`
simple refactoring 2012-10-08 20:10:04 -04:00			`class << self`
allow/deny user to create group/team 2013-01-25 04:30:49 -05:00			`def allowed(user, subject)`
Allow non authenticated user access to public projects 2013-09-24 08:58:39 -04:00			`return not_auth_abilities(user, subject) if user.nil?`
allow/deny user to create group/team 2013-01-25 04:30:49 -05:00			`return [] unless user.kind_of?(User)`
Return empty abilities if user is blocked 2013-08-27 05:41:49 -04:00			`return [] if user.blocked?`
allow/deny user to create group/team 2013-01-25 04:30:49 -05:00
simple refactoring 2012-10-08 20:10:04 -04:00			`case subject.class.name`
allow/deny user to create group/team 2013-01-25 04:30:49 -05:00			`when "Project" then project_abilities(user, subject)`
			`when "Issue" then issue_abilities(user, subject)`
			`when "Note" then note_abilities(user, subject)`
Snippets feature refactored. Tests now use spinach 2013-03-24 14:31:14 -04:00			`when "ProjectSnippet" then project_snippet_abilities(user, subject)`
Personal snippets controlelr refactored 2013-03-24 18:17:03 -04:00			`when "PersonalSnippet" then personal_snippet_abilities(user, subject)`
allow/deny user to create group/team 2013-01-25 04:30:49 -05:00			`when "MergeRequest" then merge_request_abilities(user, subject)`
Use own abilities for namespace class 2013-06-21 15:44:40 -04:00			`when "Group" then group_abilities(user, subject)`
			`when "Namespace" then namespace_abilities(user, subject)`
Use `group_member` instead of `users_group` or `membership`. 2015-03-13 11:16:51 -04:00			`when "GroupMember" then group_member_abilities(user, subject)`
simple refactoring 2012-10-08 20:10:04 -04:00			`else []`
allow/deny user to create group/team 2013-01-25 04:30:49 -05:00			`end.concat(global_abilities(user))`
			`end`

Allow non authenticated user access to public projects 2013-09-24 08:58:39 -04:00			`# List of possible abilities`
			`# for non-authenticated user`
			`def not_auth_abilities(user, subject)`
			`project = if subject.kind_of?(Project)`
			`subject`
			`elsif subject.respond_to?(:project)`
			`subject.project`
			`else`
			`nil`
			`end`

Adding authenticated public mode (internal). Added visibility_level icons to project view (rather than just text). Added public projects to search results. Added ability to restrict visibility levels standard users can set. 2013-11-06 10:13:21 -05:00			`if project && project.public?`
Remove writing issues/notes from non-auth user abilities 2013-09-24 15:13:28 -04:00			`[`
			`:read_project,`
			`:read_wiki,`
			`:read_issue,`
			`:read_milestone,`
			`:read_project_snippet,`
Use `project_member` instead of `team_member`. 2015-03-13 11:22:03 -04:00			`:read_project_member,`
Remove writing issues/notes from non-auth user abilities 2013-09-24 15:13:28 -04:00			`:read_merge_request,`
			`:read_note,`
			`:download_code`
			`]`
Allow non authenticated user access to public projects 2013-09-24 08:58:39 -04:00			`else`
Allow access to groups with public projects. Fixed Group avatars to only display when user has read permissions to at least one project in the group. 2014-02-13 15:45:51 -05:00			`group = if subject.kind_of?(Group)`
			`subject`
			`elsif subject.respond_to?(:group)`
			`subject.group`
			`else`
			`nil`
			`end`
Implement project collection service Main purpose is move big amount of methods from user, group, project models and place filtering logic in one place. It also fixes 500 error on group page for PostgreSQL Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-02-25 07:36:36 -05:00
Refactor some search scopes to prevent wierd behaviour and PG::Error issues Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-06-05 13:37:35 -04:00			`if group && group.public_profile?`
Allow access to groups with public projects. Fixed Group avatars to only display when user has read permissions to at least one project in the group. 2014-02-13 15:45:51 -05:00			`[:read_group]`
			`else`
			`[]`
			`end`
Allow non authenticated user access to public projects 2013-09-24 08:58:39 -04:00			`end`
			`end`

allow/deny user to create group/team 2013-01-25 04:30:49 -05:00			`def global_abilities(user)`
			`rules = []`
			`rules << :create_group if user.can_create_group`
			`rules`
init commit 2011-10-08 17:36:38 -04:00			`end`

simple refactoring 2012-10-08 20:10:04 -04:00			`def project_abilities(user, project)`
			`rules = []`
per request project rules caching 2014-06-14 06:05:25 -04:00			`key = "/user/#{user.id}/project/#{project.id}"`
			`RequestStore.store[key] \|\|= begin`
			`team = project.team`
init commit 2011-10-08 17:36:38 -04:00
per request project rules caching 2014-06-14 06:05:25 -04:00			`# Rules based on role in project`
			`if team.master?(user)`
Append in place for strings and arrays 2014-10-09 03:47:47 -04:00			`rules.push(*project_master_rules)`
REpostiry, Team models 2013-01-03 14:09:18 -05:00
per request project rules caching 2014-06-14 06:05:25 -04:00			`elsif team.developer?(user)`
Append in place for strings and arrays 2014-10-09 03:47:47 -04:00			`rules.push(*project_dev_rules)`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00
per request project rules caching 2014-06-14 06:05:25 -04:00			`elsif team.reporter?(user)`
Append in place for strings and arrays 2014-10-09 03:47:47 -04:00			`rules.push(*project_report_rules)`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00
per request project rules caching 2014-06-14 06:05:25 -04:00			`elsif team.guest?(user)`
Append in place for strings and arrays 2014-10-09 03:47:47 -04:00			`rules.push(*project_guest_rules)`
per request project rules caching 2014-06-14 06:05:25 -04:00			`end`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00
per request project rules caching 2014-06-14 06:05:25 -04:00			`if project.public? \|\| project.internal?`
Append in place for strings and arrays 2014-10-09 03:47:47 -04:00			`rules.push(*public_project_rules)`
per request project rules caching 2014-06-14 06:05:25 -04:00			`end`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00
per request project rules caching 2014-06-14 06:05:25 -04:00			`if project.owner == user \|\| user.admin?`
Append in place for strings and arrays 2014-10-09 03:47:47 -04:00			`rules.push(*project_admin_rules)`
per request project rules caching 2014-06-14 06:05:25 -04:00			`end`
Allow forking of public projects by authenticated users. Fixes #4152 2013-06-06 07:16:08 -04:00
per request project rules caching 2014-06-14 06:05:25 -04:00			`if project.group && project.group.has_owner?(user)`
Append in place for strings and arrays 2014-10-09 03:47:47 -04:00			`rules.push(*project_admin_rules)`
per request project rules caching 2014-06-14 06:05:25 -04:00			`end`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00
per request project rules caching 2014-06-14 06:05:25 -04:00			`if project.archived?`
			`rules -= project_archived_rules`
			`end`
Add UsersGroup relation to be respected by abilities and Project#team 2013-06-17 07:17:32 -04:00
per request project rules caching 2014-06-14 06:05:25 -04:00			`rules`
Archiving old projects; archived projects aren't shown on dashboard features for archive projects abilities for archived project other abilities for archive projects only limit commits and merges for archived projects ability changed to prohibited actions on archived projects added spec and feature tests for archive projects changed search bar not to include archived projects 2013-11-29 11:10:59 -05:00			`end`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`end`

Allow forking of public projects by authenticated users. Fixes #4152 2013-06-06 07:16:08 -04:00			`def public_project_rules`
Allow non authenticated user access to public projects 2013-09-24 08:58:39 -04:00			`project_guest_rules + [`
Allow forking of public projects by authenticated users. Fixes #4152 2013-06-06 07:16:08 -04:00			`:download_code,`
Adding authenticated public mode (internal). Added visibility_level icons to project view (rather than just text). Added public projects to search results. Added ability to restrict visibility levels standard users can set. 2013-11-06 10:13:21 -05:00			`:fork_project`
Allow forking of public projects by authenticated users. Fixes #4152 2013-06-06 07:16:08 -04:00			`]`
			`end`

Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`def project_guest_rules`
			`[`
simple refactoring 2012-10-08 20:10:04 -04:00			`:read_project,`
			`:read_wiki,`
			`:read_issue,`
			`:read_milestone,`
Tests fixed 2013-03-25 03:20:14 -04:00			`:read_project_snippet,`
Use `project_member` instead of `team_member`. 2015-03-13 11:22:03 -04:00			`:read_project_member,`
simple refactoring 2012-10-08 20:10:04 -04:00			`:read_merge_request,`
			`:read_note,`
			`:write_project,`
			`:write_issue,`
Made fixes suggested by @randx in pull request See https://github.com/gitlabhq/gitlabhq/pull/3597#discussion-diff-4014638 2013-05-02 16:27:40 -04:00			`:write_note`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`]`
			`end`
Wiki abilities 2012-02-20 13:16:55 -05:00
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`def project_report_rules`
			`project_guest_rules + [`
simple refactoring 2012-10-08 20:10:04 -04:00			`:download_code,`
Fixed ability and modify UI a bit 2013-06-04 11:50:42 -04:00			`:fork_project,`
Tests fixed 2013-03-25 03:20:14 -04:00			`:write_project_snippet`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`]`
			`end`
Wiki abilities 2012-02-20 13:16:55 -05:00
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`def project_dev_rules`
			`project_report_rules + [`
Reporter cant create MR. Show user authorized projects in Admin area 2013-01-21 07:16:48 -05:00			`:write_merge_request,`
Security for online editor. Replace dev_access?, master_access? with can? method usage 2012-10-21 05:12:14 -04:00			`:write_wiki,`
Allow developers to mange issue tracker Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-01-24 14:29:22 -05:00			`:modify_issue,`
Fix Issues#bulk_update Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-02-10 08:36:58 -05:00			`:admin_issue,`
Improve labels * allow developers to manage labels * add ability to remove label Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-07-30 08:15:39 -04:00			`:admin_label,`
Security for online editor. Replace dev_access?, master_access? with can? method usage 2012-10-21 05:12:14 -04:00			`:push_code`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`]`
			`end`
Security for online editor. Replace dev_access?, master_access? with can? method usage 2012-10-21 05:12:14 -04:00
Archiving old projects; archived projects aren't shown on dashboard features for archive projects abilities for archived project other abilities for archive projects only limit commits and merges for archived projects ability changed to prohibited actions on archived projects added spec and feature tests for archive projects changed search bar not to include archived projects 2013-11-29 11:10:59 -05:00			`def project_archived_rules`
			`[`
			`:write_merge_request,`
			`:push_code,`
			`:push_code_to_protected_branches,`
			`:modify_merge_request,`
			`:admin_merge_request`
			`]`
			`end`

Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`def project_master_rules`
			`project_dev_rules + [`
			`:push_code_to_protected_branches,`
simple refactoring 2012-10-08 20:10:04 -04:00			`:modify_issue,`
Tests fixed 2013-03-25 03:20:14 -04:00			`:modify_project_snippet,`
simple refactoring 2012-10-08 20:10:04 -04:00			`:modify_merge_request,`
			`:admin_issue,`
			`:admin_milestone,`
Tests fixed 2013-03-25 03:20:14 -04:00			`:admin_project_snippet,`
Use `project_member` instead of `team_member`. 2015-03-13 11:22:03 -04:00			`:admin_project_member,`
simple refactoring 2012-10-08 20:10:04 -04:00			`:admin_merge_request,`
			`:admin_note,`
Only owner of current namespace can change project namespace 2012-12-04 15:06:55 -05:00			`:admin_wiki,`
			`:admin_project`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`]`
			`end`
init commit 2011-10-08 17:36:38 -04:00
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`def project_admin_rules`
			`project_master_rules + [`
Only owner of current namespace can change project namespace 2012-12-04 15:06:55 -05:00			`:change_namespace,`
Adding authenticated public mode (internal). Added visibility_level icons to project view (rather than just text). Added public projects to search results. Added ability to restrict visibility levels standard users can set. 2013-11-06 10:13:21 -05:00			`:change_visibility_level,`
Admin can move project to ANY namespace. Updated permissions page 2012-12-04 15:48:24 -05:00			`:rename_project,`
Archiving old projects; archived projects aren't shown on dashboard features for archive projects abilities for archived project other abilities for archive projects only limit commits and merges for archived projects ability changed to prohibited actions on archived projects added spec and feature tests for archive projects changed search bar not to include archived projects 2013-11-29 11:10:59 -05:00			`:remove_project,`
			`:archive_project`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`]`
simple refactoring 2012-10-08 20:10:04 -04:00			`end`
security improved 2011-10-17 06:39:03 -04:00
Add parenthesis to function def with arguments. 2014-09-25 18:07:40 -04:00			`def group_abilities(user, group)`
add ability to change namespace from project edit page 2012-11-24 15:00:30 -05:00			`rules = []`

Move services for collecting items to Finders Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-02-25 12:15:08 -05:00			`if user.admin? \|\| group.users.include?(user) \|\| ProjectsFinder.new.execute(user, group: group).any?`
Fix 404 if Group guest visit empty group page 2013-09-11 14:00:16 -04:00			`rules << :read_group`
			`end`

Add ability rule for creating project in namespace Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-05-28 12:03:01 -04:00			`# Only group masters and group owners can create new projects in group`
			`if group.has_master?(user) \|\| group.has_owner?(user) \|\| user.admin?`
Append in place for strings and arrays 2014-10-09 03:47:47 -04:00			`rules.push(*[`
Add ability rule for creating project in namespace Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-05-28 12:03:01 -04:00			`:create_projects,`
Append in place for strings and arrays 2014-10-09 03:47:47 -04:00			`])`
Add ability rule for creating project in namespace Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-05-28 12:03:01 -04:00			`end`

Rename manage_group ability to admin_group for consistency with project. 2015-04-10 08:39:10 -04:00			`# Only group owner and administrators can admin group`
Group ownership completely based on users_groups relation now Before we have only owner_id to determine group owner With multiple owners per group we should get rid of owner_id in group. So from now @group.owner will always be nil but @group.owners return an actual array of users who can admin this group 2013-09-26 07:49:22 -04:00			`if group.has_owner?(user) \|\| user.admin?`
Append in place for strings and arrays 2014-10-09 03:47:47 -04:00			`rules.push(*[`
Rename manage_group ability to admin_group for consistency with project. 2015-04-10 08:39:10 -04:00			`:admin_group,`
			`:admin_namespace`
Append in place for strings and arrays 2014-10-09 03:47:47 -04:00			`])`
Fix #2375. Admin and owner can manage groups 2013-01-02 11:57:02 -05:00			`end`
add ability to change namespace from project edit page 2012-11-24 15:00:30 -05:00
			`rules.flatten`
			`end`

Add parenthesis to function def with arguments. 2014-09-25 18:07:40 -04:00			`def namespace_abilities(user, namespace)`
Use own abilities for namespace class 2013-06-21 15:44:40 -04:00			`rules = []`

Rename manage_group ability to admin_group for consistency with project. 2015-04-10 08:39:10 -04:00			`# Only namespace owner and administrators can admin it`
Use own abilities for namespace class 2013-06-21 15:44:40 -04:00			`if namespace.owner == user \|\| user.admin?`
Append in place for strings and arrays 2014-10-09 03:47:47 -04:00			`rules.push(*[`
Add ability rule for creating project in namespace Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-05-28 12:03:01 -04:00			`:create_projects,`
Rename manage_group ability to admin_group for consistency with project. 2015-04-10 08:39:10 -04:00			`:admin_namespace`
Append in place for strings and arrays 2014-10-09 03:47:47 -04:00			`])`
Use own abilities for namespace class 2013-06-21 15:44:40 -04:00			`end`

			`rules.flatten`
			`end`

Personal snippets controlelr refactored 2013-03-24 18:17:03 -04:00			`[:issue, :note, :project_snippet, :personal_snippet, :merge_request].each do \|name\|`
security improved 2011-10-17 06:39:03 -04:00			`define_method "#{name}_abilities" do \|user, subject\|`
Update snippet authorization Allow authors and admins to update the visibility level of personal and project snippets. 2015-03-14 12:30:48 -04:00			`if subject.author == user \|\| user.is_admin?`
			`rules = [`
security improved 2011-10-17 06:39:03 -04:00			`:"read_#{name}",`
			`:"write_#{name}",`
Abilities refactoring 2011-12-15 16:57:46 -05:00			`:"modify_#{name}",`
security improved 2011-10-17 06:39:03 -04:00			`:"admin_#{name}"`
			`]`
Update snippet authorization Allow authors and admins to update the visibility level of personal and project snippets. 2015-03-14 12:30:48 -04:00			`rules.push(:change_visibility_level) if subject.is_a?(Snippet)`
			`rules`
Abilities extended. Resources security improved 2012-02-21 17:31:18 -05:00			`elsif subject.respond_to?(:assignee) && subject.assignee == user`
			`[`
			`:"read_#{name}",`
			`:"write_#{name}",`
			`:"modify_#{name}",`
			`]`
security improved 2011-10-17 06:39:03 -04:00			`else`
Improve files/snippets action buttons Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-06-13 13:21:48 -04:00			`if subject.respond_to?(:project)`
			`project_abilities(user, subject.project)`
			`else`
			`[]`
			`end`
security improved 2011-10-17 06:39:03 -04:00			`end`
			`end`
			`end`
User can leave group from group page. 2014-02-07 11:59:55 -05:00
Use `group_member` instead of `users_group` or `membership`. 2015-03-13 11:16:51 -04:00			`def group_member_abilities(user, subject)`
User can leave group from group page. 2014-02-07 11:59:55 -05:00			`rules = []`
			`target_user = subject.user`
			`group = subject.group`
Rename manage_group ability to admin_group for consistency with project. 2015-04-10 08:39:10 -04:00			`can_manage = group_abilities(user, group).include?(:admin_group)`
User can leave group from group page. 2014-02-07 11:59:55 -05:00			`if can_manage && (user != target_user)`
Use `group_member` instead of `users_group` or `membership`. 2015-03-13 11:16:51 -04:00			`rules << :modify_group_member`
			`rules << :destroy_group_member`
User can leave group from group page. 2014-02-07 11:59:55 -05:00			`end`
			`if !group.last_owner?(user) && (can_manage \|\| (user == target_user))`
Use `group_member` instead of `users_group` or `membership`. 2015-03-13 11:16:51 -04:00			`rules << :destroy_group_member`
User can leave group from group page. 2014-02-07 11:59:55 -05:00			`end`
			`rules`
			`end`
Factor abilities methods in app controller, user model and services. 2014-10-19 04:50:23 -04:00
			`def abilities`
			`@abilities \|\|= begin`
			`abilities = Six.new`
			`abilities << self`
			`abilities`
			`end`
			`end`
security improved 2011-10-17 06:39:03 -04:00			`end`
init commit 2011-10-08 17:36:38 -04:00			`end`