gitlab-org--gitlab-foss/app/policies/merge_request_policy.rb

# frozen_string_literal: true

class MergeRequestPolicy < IssuablePolicy
  rule { locked }.policy do
    prevent :reopen_merge_request
  end

  # Only users who can read the merge request can comment.
  # Although :read_merge_request is computed in the policy context,
  # it would not be safe to prevent :create_note there, since
  # note permissions are shared, and this would apply too broadly.
  rule { ~can?(:read_merge_request) }.policy do
    prevent :create_note
    prevent :accept_merge_request
  end

  rule { can?(:update_merge_request) }.policy do
    enable :approve_merge_request
  end

  rule { ~anonymous & can?(:read_merge_request) }.policy do
    enable :create_todo
    enable :update_subscription
  end

  condition(:can_merge) { @subject.can_be_merged_by?(@user) }

  rule { can_merge }.policy do
    enable :accept_merge_request
  end

  rule { can?(:admin_merge_request) }.policy do
    enable :set_merge_request_metadata
  end
end

MergeRequestPolicy.prepend_mod_with('MergeRequestPolicy')
Enable frozen string in presenters and policies Enable frozen string in: * app/presenters * app/policies Partially addresses #47424. 2018-07-24 06:00:56 -04:00			`# frozen_string_literal: true`

add and use MergeRequestPolicy 2016-08-16 14:32:08 -04:00			`class MergeRequestPolicy < IssuablePolicy`
Disallow reopening of locked merge requests Fixes #56864 2019-03-08 03:34:20 -05:00			`rule { locked }.policy do`
			`prevent :reopen_merge_request`
			`end`
Prevent unauthorised comments on merge requests * Prevent creating notes on inaccessible MRs This applies the notes rules at the MR scope. Rather than adding extra rules to the Project level policy, preventing :create_note here is better since it only prevents creating notes on MRs. * Prevent creating notes in inaccessible Issues without this policy, non-team-members are allowed to comment on issues even when the project has the private-issues policy set. This means that without this change, users are allowed to comment on issues that they cannot read. * Add CHANGELOG entry 2019-06-04 23:30:54 -04:00
			`# Only users who can read the merge request can comment.`
			`# Although :read_merge_request is computed in the policy context,`
			`# it would not be safe to prevent :create_note there, since`
			`# note permissions are shared, and this would apply too broadly.`
Add latest changes from gitlab-org/gitlab@master 2021-03-08 19:09:23 -05:00			`rule { ~can?(:read_merge_request) }.policy do`
			`prevent :create_note`
			`prevent :accept_merge_request`
			`end`
Add latest changes from gitlab-org/gitlab@master 2020-07-10 14:09:45 -04:00
			`rule { can?(:update_merge_request) }.policy do`
			`enable :approve_merge_request`
			`end`
Add latest changes from gitlab-org/gitlab@master 2020-10-30 14:08:56 -04:00
			`rule { ~anonymous & can?(:read_merge_request) }.policy do`
			`enable :create_todo`
Add latest changes from gitlab-org/gitlab@master 2021-05-21 08:10:27 -04:00			`enable :update_subscription`
Add latest changes from gitlab-org/gitlab@master 2020-10-30 14:08:56 -04:00			`end`
Add latest changes from gitlab-org/gitlab@master 2021-03-08 19:09:23 -05:00
			`condition(:can_merge) { @subject.can_be_merged_by?(@user) }`

			`rule { can_merge }.policy do`
			`enable :accept_merge_request`
			`end`
Add latest changes from gitlab-org/gitlab@master 2021-06-11 14:10:13 -04:00
			`rule { can?(:admin_merge_request) }.policy do`
			`enable :set_merge_request_metadata`
			`end`
add and use MergeRequestPolicy 2016-08-16 14:32:08 -04:00			`end`
Add latest changes from gitlab-org/gitlab@master 2019-09-13 09:26:31 -04:00
Add latest changes from gitlab-org/gitlab@master 2021-05-11 17:10:21 -04:00			`MergeRequestPolicy.prepend_mod_with('MergeRequestPolicy')`