gitlab-org--gitlab-foss/app/policies/project_policy.rb

class ProjectPolicy < BasePolicy
  def rules
    team_access!(user)

    owner = user.admin? ||
            project.owner == user ||
            (project.group && project.group.has_owner?(user))

    owner_access! if owner

    if project.public? || (project.internal? && !user.external?)
      guest_access!
      public_access!

      # Allow to read builds for internal projects
      can! :read_build if project.public_builds?

      if project.request_access_enabled &&
         !(owner || project.team.member?(user) || project_group_member?(user))
        can! :request_access
      end
    end

    archived_access! if project.archived?

    disabled_features!
  end

  def project
    @subject
  end

  def guest_access!
    can! :read_project
    can! :read_board
    can! :read_list
    can! :read_wiki
    can! :read_issue
    can! :read_label
    can! :read_milestone
    can! :read_project_snippet
    can! :read_project_member
    can! :read_merge_request
    can! :read_note
    can! :create_project
    can! :create_issue
    can! :create_note
    can! :upload_file
  end

  def reporter_access!
    can! :download_code
    can! :fork_project
    can! :create_project_snippet
    can! :update_issue
    can! :admin_issue
    can! :admin_label
    can! :admin_list
    can! :read_commit_status
    can! :read_build
    can! :read_container_image
    can! :read_pipeline
    can! :read_environment
    can! :read_deployment
  end

  # Permissions given when an user is team member of a project
  def team_member_reporter_access!
    can! :build_download_code
    can! :build_read_container_image
  end

  def developer_access!
    can! :admin_merge_request
    can! :update_merge_request
    can! :create_commit_status
    can! :update_commit_status
    can! :create_build
    can! :update_build
    can! :create_pipeline
    can! :update_pipeline
    can! :create_merge_request
    can! :create_wiki
    can! :push_code
    can! :resolve_note
    can! :create_container_image
    can! :update_container_image
    can! :create_environment
    can! :create_deployment
  end

  def master_access!
    can! :push_code_to_protected_branches
    can! :update_project_snippet
    can! :update_environment
    can! :update_deployment
    can! :admin_milestone
    can! :admin_project_snippet
    can! :admin_project_member
    can! :admin_merge_request
    can! :admin_note
    can! :admin_wiki
    can! :admin_project
    can! :admin_commit_status
    can! :admin_build
    can! :admin_container_image
    can! :admin_pipeline
    can! :admin_environment
    can! :admin_deployment
    can! :read_cycle_analytics
  end

  def public_access!
    can! :download_code
    can! :fork_project
    can! :read_commit_status
    can! :read_pipeline
    can! :read_container_image
    can! :build_download_code
    can! :build_read_container_image
  end

  def owner_access!
    guest_access!
    reporter_access!
    developer_access!
    master_access!
    can! :change_namespace
    can! :change_visibility_level
    can! :rename_project
    can! :remove_project
    can! :archive_project
    can! :remove_fork_project
    can! :destroy_merge_request
    can! :destroy_issue
  end

  # Push abilities on the users team role
  def team_access!(user)
    access = project.team.max_member_access(user.id)

    guest_access!                if access >= Gitlab::Access::GUEST
    reporter_access!             if access >= Gitlab::Access::REPORTER
    team_member_reporter_access! if access >= Gitlab::Access::REPORTER
    developer_access!            if access >= Gitlab::Access::DEVELOPER
    master_access!               if access >= Gitlab::Access::MASTER
  end

  def archived_access!
    cannot! :create_merge_request
    cannot! :push_code
    cannot! :push_code_to_protected_branches
    cannot! :update_merge_request
    cannot! :admin_merge_request
  end

  def disabled_features!
    unless project.feature_available?(:issues, user)
      cannot!(*named_abilities(:issue))
    end

    unless project.feature_available?(:merge_requests, user)
      cannot!(*named_abilities(:merge_request))
    end

    unless project.feature_available?(:issues, user) || project.feature_available?(:merge_requests, user)
      cannot!(*named_abilities(:label))
      cannot!(*named_abilities(:milestone))
    end

    unless project.feature_available?(:snippets, user)
      cannot!(*named_abilities(:project_snippet))
    end

    unless project.feature_available?(:wiki, user) || project.has_external_wiki?
      cannot!(*named_abilities(:wiki))
    end

    unless project.feature_available?(:builds, user)
      cannot!(*named_abilities(:build))
      cannot!(*named_abilities(:pipeline))
      cannot!(*named_abilities(:environment))
      cannot!(*named_abilities(:deployment))
    end

    unless project.container_registry_enabled
      cannot!(*named_abilities(:container_image))
    end
  end

  def anonymous_rules
    return unless project.public?

    can! :read_project
    can! :read_board
    can! :read_list
    can! :read_wiki
    can! :read_label
    can! :read_milestone
    can! :read_project_snippet
    can! :read_project_member
    can! :read_merge_request
    can! :read_note
    can! :read_pipeline
    can! :read_commit_status
    can! :read_container_image
    can! :download_code

    # NOTE: may be overridden by IssuePolicy
    can! :read_issue

    # Allow to read builds by anonymous user if guests are allowed
    can! :read_build if project.public_builds?

    disabled_features!
  end

  def project_group_member?(user)
    project.group &&
    (
      project.group.members.exists?(user_id: user.id) ||
      project.group.requesters.exists?(user_id: user.id)
    )
  end

  def named_abilities(name)
    [
      :"read_#{name}",
      :"create_#{name}",
      :"update_#{name}",
      :"admin_#{name}"
    ]
  end
end
add policies, and factor out ProjectPolicy 2016-08-11 22:12:52 +00:00			`class ProjectPolicy < BasePolicy`
move the rules method to the top #cosmetic 2016-08-30 18:10:33 +00:00			`def rules`
			`team_access!(user)`

			`owner = user.admin? \|\|`
			`project.owner == user \|\|`
			`(project.group && project.group.has_owner?(user))`

			`owner_access! if owner`

			`if project.public? \|\| (project.internal? && !user.external?)`
			`guest_access!`
			`public_access!`

			`# Allow to read builds for internal projects`
			`can! :read_build if project.public_builds?`

			`if project.request_access_enabled &&`
			`!(owner \|\| project.team.member?(user) \|\| project_group_member?(user))`
			`can! :request_access`
			`end`
			`end`

			`archived_access! if project.archived?`

			`disabled_features!`
			`end`

add policies, and factor out ProjectPolicy 2016-08-11 22:12:52 +00:00			`def project`
			`@subject`
			`end`

			`def guest_access!`
			`can! :read_project`
			`can! :read_board`
			`can! :read_list`
			`can! :read_wiki`
			`can! :read_issue`
			`can! :read_label`
			`can! :read_milestone`
			`can! :read_project_snippet`
			`can! :read_project_member`
			`can! :read_merge_request`
			`can! :read_note`
			`can! :create_project`
			`can! :create_issue`
			`can! :create_note`
			`can! :upload_file`
			`end`

			`def reporter_access!`
			`can! :download_code`
			`can! :fork_project`
			`can! :create_project_snippet`
			`can! :update_issue`
			`can! :admin_issue`
			`can! :admin_label`
add support for anonymous abilities 2016-08-12 18:36:16 +00:00			`can! :admin_list`
add policies, and factor out ProjectPolicy 2016-08-11 22:12:52 +00:00			`can! :read_commit_status`
			`can! :read_build`
			`can! :read_container_image`
			`can! :read_pipeline`
			`can! :read_environment`
			`can! :read_deployment`
			`end`

Improve code comments 2016-09-16 10:46:33 +00:00			`# Permissions given when an user is team member of a project`
Use `build_read_container_image` and use `build_download_code` 2016-09-15 08:34:53 +00:00			`def team_member_reporter_access!`
			`can! :build_download_code`
			`can! :build_read_container_image`
Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) 2016-08-08 10:01:25 +00:00			`end`

add policies, and factor out ProjectPolicy 2016-08-11 22:12:52 +00:00			`def developer_access!`
			`can! :admin_merge_request`
			`can! :update_merge_request`
			`can! :create_commit_status`
			`can! :update_commit_status`
			`can! :create_build`
			`can! :update_build`
			`can! :create_pipeline`
			`can! :update_pipeline`
			`can! :create_merge_request`
			`can! :create_wiki`
			`can! :push_code`
add support for anonymous abilities 2016-08-12 18:36:16 +00:00			`can! :resolve_note`
add policies, and factor out ProjectPolicy 2016-08-11 22:12:52 +00:00			`can! :create_container_image`
			`can! :update_container_image`
			`can! :create_environment`
			`can! :create_deployment`
			`end`

			`def master_access!`
			`can! :push_code_to_protected_branches`
			`can! :update_project_snippet`
			`can! :update_environment`
			`can! :update_deployment`
			`can! :admin_milestone`
			`can! :admin_project_snippet`
			`can! :admin_project_member`
			`can! :admin_merge_request`
			`can! :admin_note`
			`can! :admin_wiki`
			`can! :admin_project`
			`can! :admin_commit_status`
			`can! :admin_build`
			`can! :admin_container_image`
			`can! :admin_pipeline`
			`can! :admin_environment`
			`can! :admin_deployment`
Add a JSON version of the `CycleAnalytics` page. 2016-09-08 09:33:38 +00:00			`can! :read_cycle_analytics`
add policies, and factor out ProjectPolicy 2016-08-11 22:12:52 +00:00			`end`

			`def public_access!`
			`can! :download_code`
			`can! :fork_project`
			`can! :read_commit_status`
			`can! :read_pipeline`
			`can! :read_container_image`
Use `build_read_container_image` and use `build_download_code` 2016-09-15 08:34:53 +00:00			`can! :build_download_code`
			`can! :build_read_container_image`
add policies, and factor out ProjectPolicy 2016-08-11 22:12:52 +00:00			`end`

			`def owner_access!`
			`guest_access!`
			`reporter_access!`
			`developer_access!`
			`master_access!`
			`can! :change_namespace`
			`can! :change_visibility_level`
			`can! :rename_project`
			`can! :remove_project`
			`can! :archive_project`
			`can! :remove_fork_project`
			`can! :destroy_merge_request`
			`can! :destroy_issue`
			`end`

			`# Push abilities on the users team role`
add support for anonymous abilities 2016-08-12 18:36:16 +00:00			`def team_access!(user)`
			`access = project.team.max_member_access(user.id)`
add policies, and factor out ProjectPolicy 2016-08-11 22:12:52 +00:00
Use `build_read_container_image` and use `build_download_code` 2016-09-15 08:34:53 +00:00			`guest_access! if access >= Gitlab::Access::GUEST`
			`reporter_access! if access >= Gitlab::Access::REPORTER`
			`team_member_reporter_access! if access >= Gitlab::Access::REPORTER`
			`developer_access! if access >= Gitlab::Access::DEVELOPER`
			`master_access! if access >= Gitlab::Access::MASTER`
add policies, and factor out ProjectPolicy 2016-08-11 22:12:52 +00:00			`end`

			`def archived_access!`
			`cannot! :create_merge_request`
			`cannot! :push_code`
			`cannot! :push_code_to_protected_branches`
			`cannot! :update_merge_request`
			`cannot! :admin_merge_request`
			`end`

			`def disabled_features!`
Project tools visibility level 2016-08-01 22:31:21 +00:00			`unless project.feature_available?(:issues, user)`
add policies, and factor out ProjectPolicy 2016-08-11 22:12:52 +00:00			`cannot!(*named_abilities(:issue))`
			`end`

Project tools visibility level 2016-08-01 22:31:21 +00:00			`unless project.feature_available?(:merge_requests, user)`
add policies, and factor out ProjectPolicy 2016-08-11 22:12:52 +00:00			`cannot!(*named_abilities(:merge_request))`
			`end`

Project tools visibility level 2016-08-01 22:31:21 +00:00			`unless project.feature_available?(:issues, user) \|\| project.feature_available?(:merge_requests, user)`
add policies, and factor out ProjectPolicy 2016-08-11 22:12:52 +00:00			`cannot!(*named_abilities(:label))`
			`cannot!(*named_abilities(:milestone))`
			`end`

Project tools visibility level 2016-08-01 22:31:21 +00:00			`unless project.feature_available?(:snippets, user)`
add policies, and factor out ProjectPolicy 2016-08-11 22:12:52 +00:00			`cannot!(*named_abilities(:project_snippet))`
			`end`

Project tools visibility level 2016-08-01 22:31:21 +00:00			`unless project.feature_available?(:wiki, user) \|\| project.has_external_wiki?`
add policies, and factor out ProjectPolicy 2016-08-11 22:12:52 +00:00			`cannot!(*named_abilities(:wiki))`
			`end`

Project tools visibility level 2016-08-01 22:31:21 +00:00			`unless project.feature_available?(:builds, user)`
add policies, and factor out ProjectPolicy 2016-08-11 22:12:52 +00:00			`cannot!(*named_abilities(:build))`
			`cannot!(*named_abilities(:pipeline))`
			`cannot!(*named_abilities(:environment))`
			`cannot!(*named_abilities(:deployment))`
			`end`

			`unless project.container_registry_enabled`
			`cannot!(*named_abilities(:container_image))`
			`end`
			`end`

add support for anonymous abilities 2016-08-12 18:36:16 +00:00			`def anonymous_rules`
			`return unless project.public?`

			`can! :read_project`
			`can! :read_board`
			`can! :read_list`
			`can! :read_wiki`
			`can! :read_label`
			`can! :read_milestone`
			`can! :read_project_snippet`
			`can! :read_project_member`
			`can! :read_merge_request`
			`can! :read_note`
			`can! :read_pipeline`
			`can! :read_commit_status`
			`can! :read_container_image`
			`can! :download_code`

s/NB:/NOTE:/ 2016-08-30 22:55:28 +00:00			`# NOTE: may be overridden by IssuePolicy`
port issues to Issu{able,e}Policy 2016-08-16 18:10:34 +00:00			`can! :read_issue`

add support for anonymous abilities 2016-08-12 18:36:16 +00:00			`# Allow to read builds by anonymous user if guests are allowed`
			`can! :read_build if project.public_builds?`

			`disabled_features!`
			`end`

			`def project_group_member?(user)`
add policies, and factor out ProjectPolicy 2016-08-11 22:12:52 +00:00			`project.group &&`
			`(`
add support for anonymous abilities 2016-08-12 18:36:16 +00:00			`project.group.members.exists?(user_id: user.id) \|\|`
			`project.group.requesters.exists?(user_id: user.id)`
add policies, and factor out ProjectPolicy 2016-08-11 22:12:52 +00:00			`)`
			`end`

			`def named_abilities(name)`
			`[`
			`:"read_#{name}",`
			`:"create_#{name}",`
			`:"update_#{name}",`
			`:"admin_#{name}"`
			`]`
			`end`
			`end`