2011-10-08 21:36:38 +00:00
|
|
|
class Ability
|
2012-10-09 00:10:04 +00:00
|
|
|
class << self
|
2013-01-25 09:30:49 +00:00
|
|
|
def allowed(user, subject)
|
2013-09-24 12:58:39 +00:00
|
|
|
return not_auth_abilities(user, subject) if user.nil?
|
2013-01-25 09:30:49 +00:00
|
|
|
return [] unless user.kind_of?(User)
|
2013-08-27 09:41:49 +00:00
|
|
|
return [] if user.blocked?
|
2013-01-25 09:30:49 +00:00
|
|
|
|
2012-10-09 00:10:04 +00:00
|
|
|
case subject.class.name
|
2013-01-25 09:30:49 +00:00
|
|
|
when "Project" then project_abilities(user, subject)
|
|
|
|
|
when "Issue" then issue_abilities(user, subject)
|
|
|
|
|
when "Note" then note_abilities(user, subject)
|
2013-03-24 18:31:14 +00:00
|
|
|
when "ProjectSnippet" then project_snippet_abilities(user, subject)
|
2013-03-24 22:17:03 +00:00
|
|
|
when "PersonalSnippet" then personal_snippet_abilities(user, subject)
|
2013-01-25 09:30:49 +00:00
|
|
|
when "MergeRequest" then merge_request_abilities(user, subject)
|
2013-06-21 19:44:40 +00:00
|
|
|
when "Group" then group_abilities(user, subject)
|
|
|
|
|
when "Namespace" then namespace_abilities(user, subject)
|
2014-02-07 16:59:55 +00:00
|
|
|
when "UsersGroup" then users_group_abilities(user, subject)
|
2012-10-09 00:10:04 +00:00
|
|
|
else []
|
2013-01-25 09:30:49 +00:00
|
|
|
end.concat(global_abilities(user))
|
|
|
|
|
end
|
|
|
|
|
|
2013-09-24 12:58:39 +00:00
|
|
|
# List of possible abilities
|
|
|
|
|
# for non-authenticated user
|
|
|
|
|
def not_auth_abilities(user, subject)
|
|
|
|
|
project = if subject.kind_of?(Project)
|
|
|
|
|
subject
|
|
|
|
|
elsif subject.respond_to?(:project)
|
|
|
|
|
subject.project
|
|
|
|
|
else
|
|
|
|
|
nil
|
|
|
|
|
end
|
|
|
|
|
|
2013-11-06 15:13:21 +00:00
|
|
|
if project && project.public?
|
2013-09-24 19:13:28 +00:00
|
|
|
[
|
|
|
|
|
:read_project,
|
|
|
|
|
:read_wiki,
|
|
|
|
|
:read_issue,
|
|
|
|
|
:read_milestone,
|
|
|
|
|
:read_project_snippet,
|
|
|
|
|
:read_team_member,
|
|
|
|
|
:read_merge_request,
|
|
|
|
|
:read_note,
|
|
|
|
|
:download_code
|
|
|
|
|
]
|
2013-09-24 12:58:39 +00:00
|
|
|
else
|
2014-02-13 20:45:51 +00:00
|
|
|
group = if subject.kind_of?(Group)
|
|
|
|
|
subject
|
|
|
|
|
elsif subject.respond_to?(:group)
|
|
|
|
|
subject.group
|
|
|
|
|
else
|
|
|
|
|
nil
|
|
|
|
|
end
|
2014-02-25 12:36:36 +00:00
|
|
|
|
2014-06-05 17:37:35 +00:00
|
|
|
if group && group.public_profile?
|
2014-02-13 20:45:51 +00:00
|
|
|
[:read_group]
|
|
|
|
|
else
|
|
|
|
|
[]
|
|
|
|
|
end
|
2013-09-24 12:58:39 +00:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2013-01-25 09:30:49 +00:00
|
|
|
def global_abilities(user)
|
|
|
|
|
rules = []
|
|
|
|
|
rules << :create_group if user.can_create_group
|
|
|
|
|
rules
|
2011-10-08 21:36:38 +00:00
|
|
|
end
|
|
|
|
|
|
2012-10-09 00:10:04 +00:00
|
|
|
def project_abilities(user, project)
|
|
|
|
|
rules = []
|
2011-10-08 21:36:38 +00:00
|
|
|
|
2013-01-03 19:09:18 +00:00
|
|
|
team = project.team
|
|
|
|
|
|
2012-11-29 04:29:11 +00:00
|
|
|
# Rules based on role in project
|
2014-06-04 08:52:17 +00:00
|
|
|
if team.master?(user)
|
2013-11-29 16:10:59 +00:00
|
|
|
rules += project_master_rules
|
2012-11-29 04:29:11 +00:00
|
|
|
|
2014-06-04 08:52:17 +00:00
|
|
|
elsif team.developer?(user)
|
2013-11-29 16:10:59 +00:00
|
|
|
rules += project_dev_rules
|
2012-11-29 04:29:11 +00:00
|
|
|
|
2014-06-04 08:52:17 +00:00
|
|
|
elsif team.reporter?(user)
|
2013-11-29 16:10:59 +00:00
|
|
|
rules += project_report_rules
|
2012-11-29 04:29:11 +00:00
|
|
|
|
2014-06-04 08:52:17 +00:00
|
|
|
elsif team.guest?(user)
|
2013-11-29 16:10:59 +00:00
|
|
|
rules += project_guest_rules
|
2012-11-29 04:29:11 +00:00
|
|
|
end
|
|
|
|
|
|
2013-11-06 15:13:21 +00:00
|
|
|
if project.public? || project.internal?
|
2013-11-29 16:10:59 +00:00
|
|
|
rules += public_project_rules
|
2013-06-06 11:16:08 +00:00
|
|
|
end
|
|
|
|
|
|
2013-03-25 08:46:57 +00:00
|
|
|
if project.owner == user || user.admin?
|
2013-11-29 16:10:59 +00:00
|
|
|
rules += project_admin_rules
|
2012-11-29 04:29:11 +00:00
|
|
|
end
|
|
|
|
|
|
2013-09-26 11:49:22 +00:00
|
|
|
if project.group && project.group.has_owner?(user)
|
2013-11-29 16:10:59 +00:00
|
|
|
rules += project_admin_rules
|
2013-06-17 11:17:32 +00:00
|
|
|
end
|
|
|
|
|
|
2013-11-29 16:10:59 +00:00
|
|
|
if project.archived?
|
|
|
|
|
rules -= project_archived_rules
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
rules
|
2012-11-29 04:29:11 +00:00
|
|
|
end
|
|
|
|
|
|
2013-06-06 11:16:08 +00:00
|
|
|
def public_project_rules
|
2013-09-24 12:58:39 +00:00
|
|
|
project_guest_rules + [
|
2013-06-06 11:16:08 +00:00
|
|
|
:download_code,
|
2013-11-06 15:13:21 +00:00
|
|
|
:fork_project
|
2013-06-06 11:16:08 +00:00
|
|
|
]
|
|
|
|
|
end
|
|
|
|
|
|
2012-11-29 04:29:11 +00:00
|
|
|
def project_guest_rules
|
|
|
|
|
[
|
2012-10-09 00:10:04 +00:00
|
|
|
:read_project,
|
|
|
|
|
:read_wiki,
|
|
|
|
|
:read_issue,
|
|
|
|
|
:read_milestone,
|
2013-03-25 07:20:14 +00:00
|
|
|
:read_project_snippet,
|
2012-10-09 00:10:04 +00:00
|
|
|
:read_team_member,
|
|
|
|
|
:read_merge_request,
|
|
|
|
|
:read_note,
|
|
|
|
|
:write_project,
|
|
|
|
|
:write_issue,
|
2013-05-02 20:27:40 +00:00
|
|
|
:write_note
|
2012-11-29 04:29:11 +00:00
|
|
|
]
|
|
|
|
|
end
|
2012-02-20 18:16:55 +00:00
|
|
|
|
2012-11-29 04:29:11 +00:00
|
|
|
def project_report_rules
|
|
|
|
|
project_guest_rules + [
|
2012-10-09 00:10:04 +00:00
|
|
|
:download_code,
|
2013-06-04 15:50:42 +00:00
|
|
|
:fork_project,
|
2013-03-25 07:20:14 +00:00
|
|
|
:write_project_snippet
|
2012-11-29 04:29:11 +00:00
|
|
|
]
|
|
|
|
|
end
|
2012-02-20 18:16:55 +00:00
|
|
|
|
2012-11-29 04:29:11 +00:00
|
|
|
def project_dev_rules
|
|
|
|
|
project_report_rules + [
|
2013-01-21 12:16:48 +00:00
|
|
|
:write_merge_request,
|
2012-10-21 09:12:14 +00:00
|
|
|
:write_wiki,
|
2014-01-24 19:29:22 +00:00
|
|
|
:modify_issue,
|
2014-02-10 13:36:58 +00:00
|
|
|
:admin_issue,
|
2012-10-21 09:12:14 +00:00
|
|
|
:push_code
|
2012-11-29 04:29:11 +00:00
|
|
|
]
|
|
|
|
|
end
|
2012-10-21 09:12:14 +00:00
|
|
|
|
2013-11-29 16:10:59 +00:00
|
|
|
def project_archived_rules
|
|
|
|
|
[
|
|
|
|
|
:write_merge_request,
|
|
|
|
|
:push_code,
|
|
|
|
|
:push_code_to_protected_branches,
|
|
|
|
|
:modify_merge_request,
|
|
|
|
|
:admin_merge_request
|
|
|
|
|
]
|
|
|
|
|
end
|
|
|
|
|
|
2012-11-29 04:29:11 +00:00
|
|
|
def project_master_rules
|
|
|
|
|
project_dev_rules + [
|
|
|
|
|
:push_code_to_protected_branches,
|
2012-10-09 00:10:04 +00:00
|
|
|
:modify_issue,
|
2013-03-25 07:20:14 +00:00
|
|
|
:modify_project_snippet,
|
2012-10-09 00:10:04 +00:00
|
|
|
:modify_merge_request,
|
|
|
|
|
:admin_issue,
|
|
|
|
|
:admin_milestone,
|
2013-03-25 07:20:14 +00:00
|
|
|
:admin_project_snippet,
|
2012-10-09 00:10:04 +00:00
|
|
|
:admin_team_member,
|
|
|
|
|
:admin_merge_request,
|
|
|
|
|
:admin_note,
|
2012-12-04 20:06:55 +00:00
|
|
|
:admin_wiki,
|
|
|
|
|
:admin_project
|
2012-11-29 04:29:11 +00:00
|
|
|
]
|
|
|
|
|
end
|
2011-10-08 21:36:38 +00:00
|
|
|
|
2012-11-29 04:29:11 +00:00
|
|
|
def project_admin_rules
|
|
|
|
|
project_master_rules + [
|
2012-12-04 20:06:55 +00:00
|
|
|
:change_namespace,
|
2013-11-06 15:13:21 +00:00
|
|
|
:change_visibility_level,
|
2012-12-04 20:48:24 +00:00
|
|
|
:rename_project,
|
2013-11-29 16:10:59 +00:00
|
|
|
:remove_project,
|
|
|
|
|
:archive_project
|
2012-11-29 04:29:11 +00:00
|
|
|
]
|
2012-10-09 00:10:04 +00:00
|
|
|
end
|
2011-10-17 10:39:03 +00:00
|
|
|
|
2012-11-24 20:00:30 +00:00
|
|
|
def group_abilities user, group
|
|
|
|
|
rules = []
|
|
|
|
|
|
2014-02-25 17:15:08 +00:00
|
|
|
if user.admin? || group.users.include?(user) || ProjectsFinder.new.execute(user, group: group).any?
|
2013-09-11 18:00:16 +00:00
|
|
|
rules << :read_group
|
|
|
|
|
end
|
|
|
|
|
|
2014-05-28 16:03:01 +00:00
|
|
|
# Only group masters and group owners can create new projects in group
|
|
|
|
|
if group.has_master?(user) || group.has_owner?(user) || user.admin?
|
|
|
|
|
rules += [
|
|
|
|
|
:create_projects,
|
|
|
|
|
]
|
|
|
|
|
end
|
|
|
|
|
|
2013-01-02 16:57:02 +00:00
|
|
|
# Only group owner and administrators can manage group
|
2013-09-26 11:49:22 +00:00
|
|
|
if group.has_owner?(user) || user.admin?
|
2013-11-29 16:10:59 +00:00
|
|
|
rules += [
|
2013-01-17 15:35:57 +00:00
|
|
|
:manage_group,
|
|
|
|
|
:manage_namespace
|
2013-01-02 16:57:02 +00:00
|
|
|
]
|
|
|
|
|
end
|
2012-11-24 20:00:30 +00:00
|
|
|
|
|
|
|
|
rules.flatten
|
|
|
|
|
end
|
|
|
|
|
|
2013-06-21 19:44:40 +00:00
|
|
|
def namespace_abilities user, namespace
|
|
|
|
|
rules = []
|
|
|
|
|
|
|
|
|
|
# Only namespace owner and administrators can manage it
|
|
|
|
|
if namespace.owner == user || user.admin?
|
2013-11-29 16:10:59 +00:00
|
|
|
rules += [
|
2014-05-28 16:03:01 +00:00
|
|
|
:create_projects,
|
2013-06-21 19:44:40 +00:00
|
|
|
:manage_namespace
|
|
|
|
|
]
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
rules.flatten
|
|
|
|
|
end
|
|
|
|
|
|
2013-03-24 22:17:03 +00:00
|
|
|
[:issue, :note, :project_snippet, :personal_snippet, :merge_request].each do |name|
|
2011-10-17 10:39:03 +00:00
|
|
|
define_method "#{name}_abilities" do |user, subject|
|
|
|
|
|
if subject.author == user
|
|
|
|
|
[
|
|
|
|
|
:"read_#{name}",
|
|
|
|
|
:"write_#{name}",
|
2011-12-15 21:57:46 +00:00
|
|
|
:"modify_#{name}",
|
2011-10-17 10:39:03 +00:00
|
|
|
:"admin_#{name}"
|
|
|
|
|
]
|
2012-02-21 22:31:18 +00:00
|
|
|
elsif subject.respond_to?(:assignee) && subject.assignee == user
|
|
|
|
|
[
|
|
|
|
|
:"read_#{name}",
|
|
|
|
|
:"write_#{name}",
|
|
|
|
|
:"modify_#{name}",
|
|
|
|
|
]
|
2011-10-17 10:39:03 +00:00
|
|
|
else
|
2012-10-09 00:10:04 +00:00
|
|
|
subject.respond_to?(:project) ? project_abilities(user, subject.project) : []
|
2011-10-17 10:39:03 +00:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
2014-02-07 16:59:55 +00:00
|
|
|
|
|
|
|
|
def users_group_abilities(user, subject)
|
|
|
|
|
rules = []
|
|
|
|
|
target_user = subject.user
|
|
|
|
|
group = subject.group
|
|
|
|
|
can_manage = group_abilities(user, group).include?(:manage_group)
|
|
|
|
|
if can_manage && (user != target_user)
|
|
|
|
|
rules << :modify
|
2014-03-10 03:28:49 +00:00
|
|
|
rules << :destroy
|
2014-02-07 16:59:55 +00:00
|
|
|
end
|
|
|
|
|
if !group.last_owner?(user) && (can_manage || (user == target_user))
|
|
|
|
|
rules << :destroy
|
|
|
|
|
end
|
|
|
|
|
rules
|
|
|
|
|
end
|
2011-10-17 10:39:03 +00:00
|
|
|
end
|
2011-10-08 21:36:38 +00:00
|
|
|
end
|
