gitlab-org--gitlab-foss/app/models/ability.rb

252 lines
6.1 KiB
Ruby
Raw Normal View History

2011-10-08 17:36:38 -04:00
class Ability
2012-10-08 20:10:04 -04:00
class << self
2013-01-25 04:30:49 -05:00
def allowed(user, subject)
return not_auth_abilities(user, subject) if user.nil?
2013-01-25 04:30:49 -05:00
return [] unless user.kind_of?(User)
return [] if user.blocked?
2013-01-25 04:30:49 -05:00
2012-10-08 20:10:04 -04:00
case subject.class.name
2013-01-25 04:30:49 -05:00
when "Project" then project_abilities(user, subject)
when "Issue" then issue_abilities(user, subject)
when "Note" then note_abilities(user, subject)
when "ProjectSnippet" then project_snippet_abilities(user, subject)
when "PersonalSnippet" then personal_snippet_abilities(user, subject)
2013-01-25 04:30:49 -05:00
when "MergeRequest" then merge_request_abilities(user, subject)
2013-06-21 15:44:40 -04:00
when "Group" then group_abilities(user, subject)
when "Namespace" then namespace_abilities(user, subject)
2014-02-07 11:59:55 -05:00
when "UsersGroup" then users_group_abilities(user, subject)
2012-10-08 20:10:04 -04:00
else []
2013-01-25 04:30:49 -05:00
end.concat(global_abilities(user))
end
# List of possible abilities
# for non-authenticated user
def not_auth_abilities(user, subject)
project = if subject.kind_of?(Project)
subject
elsif subject.respond_to?(:project)
subject.project
else
nil
end
if project && project.public?
[
:read_project,
:read_wiki,
:read_issue,
:read_milestone,
:read_project_snippet,
:read_team_member,
:read_merge_request,
:read_note,
:download_code
]
else
group = if subject.kind_of?(Group)
subject
elsif subject.respond_to?(:group)
subject.group
else
nil
end
if group && group.has_projects_accessible_to?(nil)
[:read_group]
else
[]
end
end
end
2013-01-25 04:30:49 -05:00
def global_abilities(user)
rules = []
rules << :create_group if user.can_create_group
rules
2011-10-08 17:36:38 -04:00
end
2012-10-08 20:10:04 -04:00
def project_abilities(user, project)
rules = []
2011-10-08 17:36:38 -04:00
2013-01-03 14:09:18 -05:00
team = project.team
# Rules based on role in project
2013-01-03 14:09:18 -05:00
if team.masters.include?(user)
rules += project_master_rules
2013-01-03 14:09:18 -05:00
elsif team.developers.include?(user)
rules += project_dev_rules
2013-01-03 14:09:18 -05:00
elsif team.reporters.include?(user)
rules += project_report_rules
elsif team.guests.include?(user)
rules += project_guest_rules
end
if project.public? || project.internal?
rules += public_project_rules
end
if project.owner == user || user.admin?
rules += project_admin_rules
end
if project.group && project.group.has_owner?(user)
rules += project_admin_rules
end
if project.archived?
rules -= project_archived_rules
end
rules
end
def public_project_rules
project_guest_rules + [
:download_code,
:fork_project
]
end
def project_guest_rules
[
2012-10-08 20:10:04 -04:00
:read_project,
:read_wiki,
:read_issue,
:read_milestone,
2013-03-25 03:20:14 -04:00
:read_project_snippet,
2012-10-08 20:10:04 -04:00
:read_team_member,
:read_merge_request,
:read_note,
:write_project,
:write_issue,
:write_note
]
end
2012-02-20 13:16:55 -05:00
def project_report_rules
project_guest_rules + [
2012-10-08 20:10:04 -04:00
:download_code,
2013-06-04 11:50:42 -04:00
:fork_project,
2013-03-25 03:20:14 -04:00
:write_project_snippet
]
end
2012-02-20 13:16:55 -05:00
def project_dev_rules
project_report_rules + [
:write_merge_request,
:write_wiki,
:modify_issue,
:admin_issue,
:push_code
]
end
def project_archived_rules
[
:write_merge_request,
:push_code,
:push_code_to_protected_branches,
:modify_merge_request,
:admin_merge_request
]
end
def project_master_rules
project_dev_rules + [
:push_code_to_protected_branches,
2012-10-08 20:10:04 -04:00
:modify_issue,
2013-03-25 03:20:14 -04:00
:modify_project_snippet,
2012-10-08 20:10:04 -04:00
:modify_merge_request,
:admin_issue,
:admin_milestone,
2013-03-25 03:20:14 -04:00
:admin_project_snippet,
2012-10-08 20:10:04 -04:00
:admin_team_member,
:admin_merge_request,
:admin_note,
:admin_wiki,
:admin_project
]
end
2011-10-08 17:36:38 -04:00
def project_admin_rules
project_master_rules + [
:change_namespace,
:change_visibility_level,
:rename_project,
:remove_project,
:archive_project
]
2012-10-08 20:10:04 -04:00
end
2011-10-17 06:39:03 -04:00
def group_abilities user, group
rules = []
if user.admin? || group.users.include?(user) || ProjectsFinder.new.execute(user, group: group).any?
rules << :read_group
end
# Only group owner and administrators can manage group
if group.has_owner?(user) || user.admin?
rules += [
:manage_group,
:manage_namespace
]
end
rules.flatten
end
2013-06-21 15:44:40 -04:00
def namespace_abilities user, namespace
rules = []
# Only namespace owner and administrators can manage it
if namespace.owner == user || user.admin?
rules += [
2013-06-21 15:44:40 -04:00
:manage_namespace
]
end
rules.flatten
end
[:issue, :note, :project_snippet, :personal_snippet, :merge_request].each do |name|
2011-10-17 06:39:03 -04:00
define_method "#{name}_abilities" do |user, subject|
if subject.author == user
[
:"read_#{name}",
:"write_#{name}",
2011-12-15 16:57:46 -05:00
:"modify_#{name}",
2011-10-17 06:39:03 -04:00
:"admin_#{name}"
]
elsif subject.respond_to?(:assignee) && subject.assignee == user
[
:"read_#{name}",
:"write_#{name}",
:"modify_#{name}",
]
2011-10-17 06:39:03 -04:00
else
2012-10-08 20:10:04 -04:00
subject.respond_to?(:project) ? project_abilities(user, subject.project) : []
2011-10-17 06:39:03 -04:00
end
end
end
2014-02-07 11:59:55 -05:00
def users_group_abilities(user, subject)
rules = []
target_user = subject.user
group = subject.group
can_manage = group_abilities(user, group).include?(:manage_group)
if can_manage && (user != target_user)
rules << :modify
rules << :destroy
2014-02-07 11:59:55 -05:00
end
if !group.last_owner?(user) && (can_manage || (user == target_user))
rules << :destroy
end
rules
end
2011-10-17 06:39:03 -04:00
end
2011-10-08 17:36:38 -04:00
end