gitlab-org--gitlab-foss/app/policies/group_policy.rb

class GroupPolicy < BasePolicy
  desc "Group is public"
  with_options scope: :subject, score: 0
  condition(:public_group) { @subject.public? }

  with_score 0
  condition(:logged_in_viewable) { @user && @subject.internal? && !@user.external? }

  condition(:has_access) { access_level != GroupMember::NO_ACCESS }

  condition(:guest) { access_level >= GroupMember::GUEST }
  condition(:developer) { access_level >= GroupMember::DEVELOPER }
  condition(:owner) { access_level >= GroupMember::OWNER }
  condition(:master) { access_level >= GroupMember::MASTER }
  condition(:reporter) { access_level >= GroupMember::REPORTER }

  condition(:nested_groups_supported, scope: :global) { Group.supports_nested_groups? }

  condition(:has_parent, scope: :subject) { @subject.has_parent? }
  condition(:share_with_group_locked, scope: :subject) { @subject.share_with_group_lock? }
  condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? }
  condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) }

  condition(:has_projects) do
    GroupProjectsFinder.new(group: @subject, current_user: @user).execute.any?
  end

  with_options scope: :subject, score: 0
  condition(:request_access_enabled) { @subject.request_access_enabled }

  rule { public_group }      .enable :read_group
  rule { logged_in_viewable }.enable :read_group
  rule { guest }             .enable :read_group
  rule { admin }             .enable :read_group
  rule { has_projects }      .enable :read_group

  rule { developer }.enable :admin_milestones
  rule { reporter }.enable :admin_label

  rule { master }.policy do
    enable :create_projects
    enable :admin_pipeline
    enable :admin_build
  end

  rule { owner }.policy do
    enable :admin_group
    enable :admin_namespace
    enable :admin_group_member
    enable :change_visibility_level
  end

  rule { owner & nested_groups_supported }.enable :create_subgroup

  rule { public_group | logged_in_viewable }.enable :view_globally

  rule { default }.enable(:request_access)

  rule { ~request_access_enabled }.prevent :request_access
  rule { ~can?(:view_globally) }.prevent   :request_access
  rule { has_access }.prevent              :request_access

  rule { owner & (~share_with_group_locked | ~has_parent | ~parent_share_with_group_locked | can_change_parent_share_with_group_lock) }.enable :change_share_with_group_lock

  def access_level
    return GroupMember::NO_ACCESS if @user.nil?

    @access_level ||= @subject.max_member_access_for_user(@user)
  end
end
port groups 2016-08-16 19:28:47 -04:00			`class GroupPolicy < BasePolicy`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`desc "Group is public"`
			`with_options scope: :subject, score: 0`
			`condition(:public_group) { @subject.public? }`

			`with_score 0`
			`condition(:logged_in_viewable) { @user && @subject.internal? && !@user.external? }`

			`condition(:has_access) { access_level != GroupMember::NO_ACCESS }`
port groups 2016-08-16 19:28:47 -04:00
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`condition(:guest) { access_level >= GroupMember::GUEST }`
Allow DEVELOPER role to admin milestones 2017-09-13 16:32:58 -04:00			`condition(:developer) { access_level >= GroupMember::DEVELOPER }`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`condition(:owner) { access_level >= GroupMember::OWNER }`
			`condition(:master) { access_level >= GroupMember::MASTER }`
			`condition(:reporter) { access_level >= GroupMember::REPORTER }`
port groups 2016-08-16 19:28:47 -04:00
Improves subgroup creation permissions 2017-08-09 06:58:00 -04:00			`condition(:nested_groups_supported, scope: :global) { Group.supports_nested_groups? }`

Optimize policy rule 2017-09-07 12:42:15 -04:00			`condition(:has_parent, scope: :subject) { @subject.has_parent? }`
Refer to “Share with group lock” consistently 2017-09-06 14:31:45 -04:00			`condition(:share_with_group_locked, scope: :subject) { @subject.share_with_group_lock? }`
			`condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? }`
Optimize policy rule 2017-09-07 12:42:15 -04:00			`condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) }`
Enforce share_with_group_lock rules …in Groups::UpdateService instead of only in the browser. 2017-09-01 21:00:46 -04:00
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`condition(:has_projects) do`
ProjectsFinder should handle more options Extended ProjectFinder in order to handle the following options: - current_user - which user use - project_ids_relation: int[] - project ids to use - params: - trending: boolean - non_public: boolean - starred: boolean - sort: string - visibility_level: int - tags: string[] - personal: boolean - search: string - non_archived: boolean GroupProjectsFinder now inherits from ProjectsFinder. Changed the code in order to use the new available options. 2017-03-03 05:35:04 -05:00			`GroupProjectsFinder.new(group: @subject, current_user: @user).execute.any?`
port groups 2016-08-16 19:28:47 -04:00			`end`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00
			`with_options scope: :subject, score: 0`
			`condition(:request_access_enabled) { @subject.request_access_enabled }`

			`rule { public_group } .enable :read_group`
			`rule { logged_in_viewable }.enable :read_group`
			`rule { guest } .enable :read_group`
			`rule { admin } .enable :read_group`
			`rule { has_projects } .enable :read_group`

Allow DEVELOPER role to admin milestones 2017-09-13 16:32:58 -04:00			`rule { developer }.enable :admin_milestones`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`rule { reporter }.enable :admin_label`

			`rule { master }.policy do`
			`enable :create_projects`
Basic BE change Fix static-snalysis Move the precedence of group secure variable before project secure variable. Allow project_id to be null. Separate Ci::VariableProject and Ci::VariableGroup Add the forgotton files Add migration file to update type of ci_variables Fix form_for fpr VariableProject Fix test Change the table structure according to the yorik advice Add necessary migration files. Remove unnecessary migration spec. Revert safe_model_attributes.yml Fix models Fix spec Avoid self.variable. Use becomes for correct routing. Use unique index on group_id and key Add null: false for t.timestamps Fix schema version Rename VariableProject and VariableGroup to ProjectVariable and GroupVariable Rename the rest of them Add the rest of files Basic BE change Fix static-snalysis Move the precedence of group secure variable before project secure variable. Allow project_id to be null. Separate Ci::VariableProject and Ci::VariableGroup Add the forgotton files Add migration file to update type of ci_variables Fix form_for fpr VariableProject Fix test Change the table structure according to the yorik advice Add necessary migration files. Remove unnecessary migration spec. Revert safe_model_attributes.yml Fix models Fix spec Avoid self.variable. Use becomes for correct routing. Use unique index on group_id and key Add null: false for t.timestamps Fix schema version Rename VariableProject and VariableGroup to ProjectVariable and GroupVariable Rename the rest of them Add the rest of files Implement CURD Rename codes related to VariableGroup and VariableProject FE part Remove unneccesary changes Make Fe code up-to-date Add protected flag to migration file Protected group variables essential package Update schema Improve doc Fix logic and spec for models Fix logic and spec for controllers Fix logic and spec for views(pre feature) Add feature spec Fixed bugs. placeholder. reveal button. doc. Add changelog Remove unnecessary comment godfat nice catches Improve secret_variables_for arctecture Fix spec Fix StaticAnlysys & path_regex spec Revert "Improve secret_variables_for arctecture" This reverts commit c3216ca212322ecf6ca534cb12ce75811a4e77f1. Use ayufan suggestion for secret_variables_for Use find instead of find_by Fix spec message for variable is invalid Fix spec remove variable.group_id = group.id godffat spec nitpicks Use include Gitlab::Routing.url_helpers for presenter spec 2017-05-03 14:51:55 -04:00			`enable :admin_pipeline`
			`enable :admin_build`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`end`

			`rule { owner }.policy do`
			`enable :admin_group`
			`enable :admin_namespace`
			`enable :admin_group_member`
			`enable :change_visibility_level`
			`end`

Make Members with Owner and Master roles always able to create subgroups 2017-09-07 14:35:45 -04:00			`rule { owner & nested_groups_supported }.enable :create_subgroup`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00
			`rule { public_group \| logged_in_viewable }.enable :view_globally`

			`rule { default }.enable(:request_access)`

			`rule { ~request_access_enabled }.prevent :request_access`
			`rule { ~can?(:view_globally) }.prevent :request_access`
			`rule { has_access }.prevent :request_access`

Optimize policy rule 2017-09-07 12:42:15 -04:00			`rule { owner & (~share_with_group_locked \| ~has_parent \| ~parent_share_with_group_locked \| can_change_parent_share_with_group_lock) }.enable :change_share_with_group_lock`
Enforce share_with_group_lock rules …in Groups::UpdateService instead of only in the browser. 2017-09-01 21:00:46 -04:00
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`def access_level`
			`return GroupMember::NO_ACCESS if @user.nil?`

			`@access_level \|\|= @subject.max_member_access_for_user(@user)`
			`end`
port groups 2016-08-16 19:28:47 -04:00			`end`