gitlab-org--gitlab-foss/app/policies/global_policy.rb

class GlobalPolicy < BasePolicy
  desc "User is blocked"
  with_options scope: :user, score: 0
  condition(:blocked) { @user.blocked? }

  desc "User is an internal user"
  with_options scope: :user, score: 0
  condition(:internal) { @user.internal? }

  desc "User's access has been locked"
  with_options scope: :user, score: 0
  condition(:access_locked) { @user.access_locked? }

  rule { anonymous }.policy do
    prevent :log_in
    prevent :access_api
    prevent :access_git
    prevent :receive_notifications
    prevent :use_quick_actions
    prevent :create_group
  end

  rule { default }.policy do
    enable :log_in
    enable :access_api
    enable :access_git
    enable :receive_notifications
    enable :use_quick_actions
  end

  rule { blocked | internal }.policy do
    prevent :log_in
    prevent :access_api
    prevent :access_git
    prevent :receive_notifications
    prevent :use_quick_actions
  end

  rule { can_create_group }.policy do
    enable :create_group
  end

  rule { access_locked }.policy do
    prevent :log_in
  end

  rule { ~(anonymous & restricted_public_level) }.policy do
    enable :read_users_list
  end

  rule { admin }.policy do
    enable :read_custom_attribute
    enable :update_custom_attribute
  end
end
factor in global permissions 2016-08-16 23:29:19 +00:00			`class GlobalPolicy < BasePolicy`
convert all the policies to DeclarativePolicy 2017-04-06 21:06:42 +00:00			`desc "User is blocked"`
			`with_options scope: :user, score: 0`
			`condition(:blocked) { @user.blocked? }`
Implement review comments for !12445 from @godfat and @rymai. - Use `GlobalPolicy` to authorize the users that a non-authenticated user can fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC` visibility level is not restricted. - Further, as before, `/api/v4/users` is only accessible to unauthenticated users if the `username` parameter is passed. - Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual route + method, rather than the description. - Change the type of `current_user` check in `UsersFinder` to be more compatible with EE. 2017-06-29 07:43:41 +00:00
convert all the policies to DeclarativePolicy 2017-04-06 21:06:42 +00:00			`desc "User is an internal user"`
			`with_options scope: :user, score: 0`
			`condition(:internal) { @user.internal? }`
line break after guard clause 2016-08-30 18:14:07 +00:00
convert all the policies to DeclarativePolicy 2017-04-06 21:06:42 +00:00			`desc "User's access has been locked"`
			`with_options scope: :user, score: 0`
			`condition(:access_locked) { @user.access_locked? }`
add User#internal? and some global permissions 2017-02-28 21:09:23 +00:00
Merge remote-tracking branch 'origin/master' into 34141-allow-unauthenticated-access-to-the-users-api - Modify policy code to work with the `DeclarativePolicy` refactor in 37c401433b76170f0150d70865f1f4584db01fa8. 2017-06-30 13:29:34 +00:00			`rule { anonymous }.policy do`
			`prevent :log_in`
			`prevent :access_api`
			`prevent :access_git`
			`prevent :receive_notifications`
			`prevent :use_quick_actions`
			`prevent :create_group`
			`end`
convert all the policies to DeclarativePolicy 2017-04-06 21:06:42 +00:00
			`rule { default }.policy do`
			`enable :log_in`
			`enable :access_api`
			`enable :access_git`
			`enable :receive_notifications`
			`enable :use_quick_actions`
			`end`

			`rule { blocked \| internal }.policy do`
			`prevent :log_in`
			`prevent :access_api`
			`prevent :access_git`
			`prevent :receive_notifications`
			`prevent :use_quick_actions`
			`end`

			`rule { can_create_group }.policy do`
			`enable :create_group`
			`end`

			`rule { access_locked }.policy do`
			`prevent :log_in`
factor in global permissions 2016-08-16 23:29:19 +00:00			`end`
Merge remote-tracking branch 'origin/master' into 34141-allow-unauthenticated-access-to-the-users-api - Modify policy code to work with the `DeclarativePolicy` refactor in 37c401433b76170f0150d70865f1f4584db01fa8. 2017-06-30 13:29:34 +00:00
Allow logged in users to read user list under public restriction 2017-08-01 07:46:13 +00:00			`rule { ~(anonymous & restricted_public_level) }.policy do`
Merge remote-tracking branch 'origin/master' into 34141-allow-unauthenticated-access-to-the-users-api - Modify policy code to work with the `DeclarativePolicy` refactor in 37c401433b76170f0150d70865f1f4584db01fa8. 2017-06-30 13:29:34 +00:00			`enable :read_users_list`
factor in global permissions 2016-08-16 23:29:19 +00:00			`end`
Support custom attributes on users 2017-09-28 16:49:42 +00:00
			`rule { admin }.policy do`
			`enable :read_custom_attribute`
			`enable :update_custom_attribute`
			`end`
factor in global permissions 2016-08-16 23:29:19 +00:00			`end`