gitlab-org--gitlab-foss/app/models/ability.rb

class Ability
  class << self
    def allowed(user, subject)
      return not_auth_abilities(user, subject) if user.nil?
      return [] unless user.kind_of?(User)
      return [] if user.blocked?

      case subject.class.name
      when "Project" then project_abilities(user, subject)
      when "Issue" then issue_abilities(user, subject)
      when "Note" then note_abilities(user, subject)
      when "ProjectSnippet" then project_snippet_abilities(user, subject)
      when "PersonalSnippet" then personal_snippet_abilities(user, subject)
      when "MergeRequest" then merge_request_abilities(user, subject)
      when "Group" then group_abilities(user, subject)
      when "Namespace" then namespace_abilities(user, subject)
      when "UsersGroup" then users_group_abilities(user, subject)
      else []
      end.concat(global_abilities(user))
    end

    # List of possible abilities
    # for non-authenticated user
    def not_auth_abilities(user, subject)
      project = if subject.kind_of?(Project)
                  subject
                elsif subject.respond_to?(:project)
                  subject.project
                else
                  nil
                end

      if project && project.public?
        [
          :read_project,
          :read_wiki,
          :read_issue,
          :read_milestone,
          :read_project_snippet,
          :read_team_member,
          :read_merge_request,
          :read_note,
          :download_code
        ]
      else
        group = if subject.kind_of?(Group)
                  subject
                elsif subject.respond_to?(:group)
                  subject.group
                else
                  nil
                end

        if group && group.has_projects_accessible_to?(nil)
          [:read_group]
        else
          []
        end
      end
    end

    def global_abilities(user)
      rules = []
      rules << :create_group if user.can_create_group
      rules
    end

    def project_abilities(user, project)
      rules = []

      team = project.team

      # Rules based on role in project
      if team.masters.include?(user)
        rules += project_master_rules

      elsif team.developers.include?(user)
        rules += project_dev_rules

      elsif team.reporters.include?(user)
        rules += project_report_rules

      elsif team.guests.include?(user)
        rules += project_guest_rules
      end

      if project.public? || project.internal?
        rules += public_project_rules
      end

      if project.owner == user || user.admin?
        rules += project_admin_rules
      end

      if project.group && project.group.has_owner?(user)
        rules += project_admin_rules
      end

      if project.archived?
        rules -= project_archived_rules
      end

      rules
    end

    def public_project_rules
      project_guest_rules + [
        :download_code,
        :fork_project
      ]
    end

    def project_guest_rules
      [
        :read_project,
        :read_wiki,
        :read_issue,
        :read_milestone,
        :read_project_snippet,
        :read_team_member,
        :read_merge_request,
        :read_note,
        :write_project,
        :write_issue,
        :write_note
      ]
    end

    def project_report_rules
      project_guest_rules + [
        :download_code,
        :fork_project,
        :write_project_snippet
      ]
    end

    def project_dev_rules
      project_report_rules + [
        :write_merge_request,
        :write_wiki,
        :modify_issue,
        :admin_issue,
        :push_code
      ]
    end

    def project_archived_rules
      [
        :write_merge_request,
        :push_code,
        :push_code_to_protected_branches,
        :modify_merge_request,
        :admin_merge_request
      ]
    end

    def project_master_rules
      project_dev_rules + [
        :push_code_to_protected_branches,
        :modify_issue,
        :modify_project_snippet,
        :modify_merge_request,
        :admin_issue,
        :admin_milestone,
        :admin_project_snippet,
        :admin_team_member,
        :admin_merge_request,
        :admin_note,
        :admin_wiki,
        :admin_project
      ]
    end

    def project_admin_rules
      project_master_rules + [
        :change_namespace,
        :change_visibility_level,
        :rename_project,
        :remove_project,
        :archive_project
      ]
    end

    def group_abilities user, group
      rules = []

      if user.admin? || group.users.include?(user) || ProjectsFinder.new.execute(user, group: group).any?
        rules << :read_group
      end

      # Only group owner and administrators can manage group
      if group.has_owner?(user) || user.admin?
        rules += [
          :manage_group,
          :manage_namespace
        ]
      end

      rules.flatten
    end

    def namespace_abilities user, namespace
      rules = []

      # Only namespace owner and administrators can manage it
      if namespace.owner == user || user.admin?
        rules += [
          :manage_namespace
        ]
      end

      rules.flatten
    end

    [:issue, :note, :project_snippet, :personal_snippet, :merge_request].each do |name|
      define_method "#{name}_abilities" do |user, subject|
        if subject.author == user
          [
            :"read_#{name}",
            :"write_#{name}",
            :"modify_#{name}",
            :"admin_#{name}"
          ]
        elsif subject.respond_to?(:assignee) && subject.assignee == user
          [
            :"read_#{name}",
            :"write_#{name}",
            :"modify_#{name}",
          ]
        else
          subject.respond_to?(:project) ? project_abilities(user, subject.project) : []
        end
      end
    end

    def users_group_abilities(user, subject)
      rules = []
      target_user = subject.user
      group = subject.group
      can_manage = group_abilities(user, group).include?(:manage_group)
      if can_manage && (user != target_user)
        rules << :modify
        rules << :destroy
      end
      if !group.last_owner?(user) && (can_manage || (user == target_user))
        rules << :destroy
      end
      rules
    end
  end
end
init commit 2011-10-08 17:36:38 -04:00			`class Ability`
simple refactoring 2012-10-08 20:10:04 -04:00			`class << self`
allow/deny user to create group/team 2013-01-25 04:30:49 -05:00			`def allowed(user, subject)`
Allow non authenticated user access to public projects 2013-09-24 08:58:39 -04:00			`return not_auth_abilities(user, subject) if user.nil?`
allow/deny user to create group/team 2013-01-25 04:30:49 -05:00			`return [] unless user.kind_of?(User)`
Return empty abilities if user is blocked 2013-08-27 05:41:49 -04:00			`return [] if user.blocked?`
allow/deny user to create group/team 2013-01-25 04:30:49 -05:00
simple refactoring 2012-10-08 20:10:04 -04:00			`case subject.class.name`
allow/deny user to create group/team 2013-01-25 04:30:49 -05:00			`when "Project" then project_abilities(user, subject)`
			`when "Issue" then issue_abilities(user, subject)`
			`when "Note" then note_abilities(user, subject)`
Snippets feature refactored. Tests now use spinach 2013-03-24 14:31:14 -04:00			`when "ProjectSnippet" then project_snippet_abilities(user, subject)`
Personal snippets controlelr refactored 2013-03-24 18:17:03 -04:00			`when "PersonalSnippet" then personal_snippet_abilities(user, subject)`
allow/deny user to create group/team 2013-01-25 04:30:49 -05:00			`when "MergeRequest" then merge_request_abilities(user, subject)`
Use own abilities for namespace class 2013-06-21 15:44:40 -04:00			`when "Group" then group_abilities(user, subject)`
			`when "Namespace" then namespace_abilities(user, subject)`
User can leave group from group page. 2014-02-07 11:59:55 -05:00			`when "UsersGroup" then users_group_abilities(user, subject)`
simple refactoring 2012-10-08 20:10:04 -04:00			`else []`
allow/deny user to create group/team 2013-01-25 04:30:49 -05:00			`end.concat(global_abilities(user))`
			`end`

Allow non authenticated user access to public projects 2013-09-24 08:58:39 -04:00			`# List of possible abilities`
			`# for non-authenticated user`
			`def not_auth_abilities(user, subject)`
			`project = if subject.kind_of?(Project)`
			`subject`
			`elsif subject.respond_to?(:project)`
			`subject.project`
			`else`
			`nil`
			`end`

Adding authenticated public mode (internal). Added visibility_level icons to project view (rather than just text). Added public projects to search results. Added ability to restrict visibility levels standard users can set. 2013-11-06 10:13:21 -05:00			`if project && project.public?`
Remove writing issues/notes from non-auth user abilities 2013-09-24 15:13:28 -04:00			`[`
			`:read_project,`
			`:read_wiki,`
			`:read_issue,`
			`:read_milestone,`
			`:read_project_snippet,`
			`:read_team_member,`
			`:read_merge_request,`
			`:read_note,`
			`:download_code`
			`]`
Allow non authenticated user access to public projects 2013-09-24 08:58:39 -04:00			`else`
Allow access to groups with public projects. Fixed Group avatars to only display when user has read permissions to at least one project in the group. 2014-02-13 15:45:51 -05:00			`group = if subject.kind_of?(Group)`
			`subject`
			`elsif subject.respond_to?(:group)`
			`subject.group`
			`else`
			`nil`
			`end`
Implement project collection service Main purpose is move big amount of methods from user, group, project models and place filtering logic in one place. It also fixes 500 error on group page for PostgreSQL Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-02-25 07:36:36 -05:00
Allow access to groups with public projects. Fixed Group avatars to only display when user has read permissions to at least one project in the group. 2014-02-13 15:45:51 -05:00			`if group && group.has_projects_accessible_to?(nil)`
			`[:read_group]`
			`else`
			`[]`
			`end`
Allow non authenticated user access to public projects 2013-09-24 08:58:39 -04:00			`end`
			`end`

allow/deny user to create group/team 2013-01-25 04:30:49 -05:00			`def global_abilities(user)`
			`rules = []`
			`rules << :create_group if user.can_create_group`
			`rules`
init commit 2011-10-08 17:36:38 -04:00			`end`

simple refactoring 2012-10-08 20:10:04 -04:00			`def project_abilities(user, project)`
			`rules = []`
init commit 2011-10-08 17:36:38 -04:00
REpostiry, Team models 2013-01-03 14:09:18 -05:00			`team = project.team`

Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`# Rules based on role in project`
REpostiry, Team models 2013-01-03 14:09:18 -05:00			`if team.masters.include?(user)`
Archiving old projects; archived projects aren't shown on dashboard features for archive projects abilities for archived project other abilities for archive projects only limit commits and merges for archived projects ability changed to prohibited actions on archived projects added spec and feature tests for archive projects changed search bar not to include archived projects 2013-11-29 11:10:59 -05:00			`rules += project_master_rules`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00
REpostiry, Team models 2013-01-03 14:09:18 -05:00			`elsif team.developers.include?(user)`
Archiving old projects; archived projects aren't shown on dashboard features for archive projects abilities for archived project other abilities for archive projects only limit commits and merges for archived projects ability changed to prohibited actions on archived projects added spec and feature tests for archive projects changed search bar not to include archived projects 2013-11-29 11:10:59 -05:00			`rules += project_dev_rules`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00
REpostiry, Team models 2013-01-03 14:09:18 -05:00			`elsif team.reporters.include?(user)`
Archiving old projects; archived projects aren't shown on dashboard features for archive projects abilities for archived project other abilities for archive projects only limit commits and merges for archived projects ability changed to prohibited actions on archived projects added spec and feature tests for archive projects changed search bar not to include archived projects 2013-11-29 11:10:59 -05:00			`rules += project_report_rules`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00
Allow forking of public projects by authenticated users. Fixes #4152 2013-06-06 07:16:08 -04:00			`elsif team.guests.include?(user)`
Archiving old projects; archived projects aren't shown on dashboard features for archive projects abilities for archived project other abilities for archive projects only limit commits and merges for archived projects ability changed to prohibited actions on archived projects added spec and feature tests for archive projects changed search bar not to include archived projects 2013-11-29 11:10:59 -05:00			`rules += project_guest_rules`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`end`

Adding authenticated public mode (internal). Added visibility_level icons to project view (rather than just text). Added public projects to search results. Added ability to restrict visibility levels standard users can set. 2013-11-06 10:13:21 -05:00			`if project.public? \|\| project.internal?`
Archiving old projects; archived projects aren't shown on dashboard features for archive projects abilities for archived project other abilities for archive projects only limit commits and merges for archived projects ability changed to prohibited actions on archived projects added spec and feature tests for archive projects changed search bar not to include archived projects 2013-11-29 11:10:59 -05:00			`rules += public_project_rules`
Allow forking of public projects by authenticated users. Fixes #4152 2013-06-06 07:16:08 -04:00			`end`

add admin ability to edit project settings from project area 2013-03-25 04:46:57 -04:00			`if project.owner == user \|\| user.admin?`
Archiving old projects; archived projects aren't shown on dashboard features for archive projects abilities for archived project other abilities for archive projects only limit commits and merges for archived projects ability changed to prohibited actions on archived projects added spec and feature tests for archive projects changed search bar not to include archived projects 2013-11-29 11:10:59 -05:00			`rules += project_admin_rules`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`end`

Group ownership completely based on users_groups relation now Before we have only owner_id to determine group owner With multiple owners per group we should get rid of owner_id in group. So from now @group.owner will always be nil but @group.owners return an actual array of users who can admin this group 2013-09-26 07:49:22 -04:00			`if project.group && project.group.has_owner?(user)`
Archiving old projects; archived projects aren't shown on dashboard features for archive projects abilities for archived project other abilities for archive projects only limit commits and merges for archived projects ability changed to prohibited actions on archived projects added spec and feature tests for archive projects changed search bar not to include archived projects 2013-11-29 11:10:59 -05:00			`rules += project_admin_rules`
Add UsersGroup relation to be respected by abilities and Project#team 2013-06-17 07:17:32 -04:00			`end`

Archiving old projects; archived projects aren't shown on dashboard features for archive projects abilities for archived project other abilities for archive projects only limit commits and merges for archived projects ability changed to prohibited actions on archived projects added spec and feature tests for archive projects changed search bar not to include archived projects 2013-11-29 11:10:59 -05:00			`if project.archived?`
			`rules -= project_archived_rules`
			`end`

			`rules`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`end`

Allow forking of public projects by authenticated users. Fixes #4152 2013-06-06 07:16:08 -04:00			`def public_project_rules`
Allow non authenticated user access to public projects 2013-09-24 08:58:39 -04:00			`project_guest_rules + [`
Allow forking of public projects by authenticated users. Fixes #4152 2013-06-06 07:16:08 -04:00			`:download_code,`
Adding authenticated public mode (internal). Added visibility_level icons to project view (rather than just text). Added public projects to search results. Added ability to restrict visibility levels standard users can set. 2013-11-06 10:13:21 -05:00			`:fork_project`
Allow forking of public projects by authenticated users. Fixes #4152 2013-06-06 07:16:08 -04:00			`]`
			`end`

Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`def project_guest_rules`
			`[`
simple refactoring 2012-10-08 20:10:04 -04:00			`:read_project,`
			`:read_wiki,`
			`:read_issue,`
			`:read_milestone,`
Tests fixed 2013-03-25 03:20:14 -04:00			`:read_project_snippet,`
simple refactoring 2012-10-08 20:10:04 -04:00			`:read_team_member,`
			`:read_merge_request,`
			`:read_note,`
			`:write_project,`
			`:write_issue,`
Made fixes suggested by @randx in pull request See https://github.com/gitlabhq/gitlabhq/pull/3597#discussion-diff-4014638 2013-05-02 16:27:40 -04:00			`:write_note`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`]`
			`end`
Wiki abilities 2012-02-20 13:16:55 -05:00
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`def project_report_rules`
			`project_guest_rules + [`
simple refactoring 2012-10-08 20:10:04 -04:00			`:download_code,`
Fixed ability and modify UI a bit 2013-06-04 11:50:42 -04:00			`:fork_project,`
Tests fixed 2013-03-25 03:20:14 -04:00			`:write_project_snippet`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`]`
			`end`
Wiki abilities 2012-02-20 13:16:55 -05:00
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`def project_dev_rules`
			`project_report_rules + [`
Reporter cant create MR. Show user authorized projects in Admin area 2013-01-21 07:16:48 -05:00			`:write_merge_request,`
Security for online editor. Replace dev_access?, master_access? with can? method usage 2012-10-21 05:12:14 -04:00			`:write_wiki,`
Allow developers to mange issue tracker Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-01-24 14:29:22 -05:00			`:modify_issue,`
Fix Issues#bulk_update Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-02-10 08:36:58 -05:00			`:admin_issue,`
Security for online editor. Replace dev_access?, master_access? with can? method usage 2012-10-21 05:12:14 -04:00			`:push_code`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`]`
			`end`
Security for online editor. Replace dev_access?, master_access? with can? method usage 2012-10-21 05:12:14 -04:00
Archiving old projects; archived projects aren't shown on dashboard features for archive projects abilities for archived project other abilities for archive projects only limit commits and merges for archived projects ability changed to prohibited actions on archived projects added spec and feature tests for archive projects changed search bar not to include archived projects 2013-11-29 11:10:59 -05:00			`def project_archived_rules`
			`[`
			`:write_merge_request,`
			`:push_code,`
			`:push_code_to_protected_branches,`
			`:modify_merge_request,`
			`:admin_merge_request`
			`]`
			`end`

Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`def project_master_rules`
			`project_dev_rules + [`
			`:push_code_to_protected_branches,`
simple refactoring 2012-10-08 20:10:04 -04:00			`:modify_issue,`
Tests fixed 2013-03-25 03:20:14 -04:00			`:modify_project_snippet,`
simple refactoring 2012-10-08 20:10:04 -04:00			`:modify_merge_request,`
			`:admin_issue,`
			`:admin_milestone,`
Tests fixed 2013-03-25 03:20:14 -04:00			`:admin_project_snippet,`
simple refactoring 2012-10-08 20:10:04 -04:00			`:admin_team_member,`
			`:admin_merge_request,`
			`:admin_note,`
Only owner of current namespace can change project namespace 2012-12-04 15:06:55 -05:00			`:admin_wiki,`
			`:admin_project`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`]`
			`end`
init commit 2011-10-08 17:36:38 -04:00
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`def project_admin_rules`
			`project_master_rules + [`
Only owner of current namespace can change project namespace 2012-12-04 15:06:55 -05:00			`:change_namespace,`
Adding authenticated public mode (internal). Added visibility_level icons to project view (rather than just text). Added public projects to search results. Added ability to restrict visibility levels standard users can set. 2013-11-06 10:13:21 -05:00			`:change_visibility_level,`
Admin can move project to ANY namespace. Updated permissions page 2012-12-04 15:48:24 -05:00			`:rename_project,`
Archiving old projects; archived projects aren't shown on dashboard features for archive projects abilities for archived project other abilities for archive projects only limit commits and merges for archived projects ability changed to prohibited actions on archived projects added spec and feature tests for archive projects changed search bar not to include archived projects 2013-11-29 11:10:59 -05:00			`:remove_project,`
			`:archive_project`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-28 23:29:11 -05:00			`]`
simple refactoring 2012-10-08 20:10:04 -04:00			`end`
security improved 2011-10-17 06:39:03 -04:00
add ability to change namespace from project edit page 2012-11-24 15:00:30 -05:00			`def group_abilities user, group`
			`rules = []`

Move services for collecting items to Finders Signed-off-by: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> 2014-02-25 12:15:08 -05:00			`if user.admin? \|\| group.users.include?(user) \|\| ProjectsFinder.new.execute(user, group: group).any?`
Fix 404 if Group guest visit empty group page 2013-09-11 14:00:16 -04:00			`rules << :read_group`
			`end`

Fix #2375. Admin and owner can manage groups 2013-01-02 11:57:02 -05:00			`# Only group owner and administrators can manage group`
Group ownership completely based on users_groups relation now Before we have only owner_id to determine group owner With multiple owners per group we should get rid of owner_id in group. So from now @group.owner will always be nil but @group.owners return an actual array of users who can admin this group 2013-09-26 07:49:22 -04:00			`if group.has_owner?(user) \|\| user.admin?`
Archiving old projects; archived projects aren't shown on dashboard features for archive projects abilities for archived project other abilities for archive projects only limit commits and merges for archived projects ability changed to prohibited actions on archived projects added spec and feature tests for archive projects changed search bar not to include archived projects 2013-11-29 11:10:59 -05:00			`rules += [`
Refactor project creation. Added logout link to profile page 2013-01-17 10:35:57 -05:00			`:manage_group,`
			`:manage_namespace`
Fix #2375. Admin and owner can manage groups 2013-01-02 11:57:02 -05:00			`]`
			`end`
add ability to change namespace from project edit page 2012-11-24 15:00:30 -05:00
			`rules.flatten`
			`end`

Use own abilities for namespace class 2013-06-21 15:44:40 -04:00			`def namespace_abilities user, namespace`
			`rules = []`

			`# Only namespace owner and administrators can manage it`
			`if namespace.owner == user \|\| user.admin?`
Archiving old projects; archived projects aren't shown on dashboard features for archive projects abilities for archived project other abilities for archive projects only limit commits and merges for archived projects ability changed to prohibited actions on archived projects added spec and feature tests for archive projects changed search bar not to include archived projects 2013-11-29 11:10:59 -05:00			`rules += [`
Use own abilities for namespace class 2013-06-21 15:44:40 -04:00			`:manage_namespace`
			`]`
			`end`

			`rules.flatten`
			`end`

Personal snippets controlelr refactored 2013-03-24 18:17:03 -04:00			`[:issue, :note, :project_snippet, :personal_snippet, :merge_request].each do \|name\|`
security improved 2011-10-17 06:39:03 -04:00			`define_method "#{name}_abilities" do \|user, subject\|`
			`if subject.author == user`
			`[`
			`:"read_#{name}",`
			`:"write_#{name}",`
Abilities refactoring 2011-12-15 16:57:46 -05:00			`:"modify_#{name}",`
security improved 2011-10-17 06:39:03 -04:00			`:"admin_#{name}"`
			`]`
Abilities extended. Resources security improved 2012-02-21 17:31:18 -05:00			`elsif subject.respond_to?(:assignee) && subject.assignee == user`
			`[`
			`:"read_#{name}",`
			`:"write_#{name}",`
			`:"modify_#{name}",`
			`]`
security improved 2011-10-17 06:39:03 -04:00			`else`
simple refactoring 2012-10-08 20:10:04 -04:00			`subject.respond_to?(:project) ? project_abilities(user, subject.project) : []`
security improved 2011-10-17 06:39:03 -04:00			`end`
			`end`
			`end`
User can leave group from group page. 2014-02-07 11:59:55 -05:00
			`def users_group_abilities(user, subject)`
			`rules = []`
			`target_user = subject.user`
			`group = subject.group`
			`can_manage = group_abilities(user, group).include?(:manage_group)`
			`if can_manage && (user != target_user)`
			`rules << :modify`
Fixes a bug with group member administration Group owners were not able to remove any users from their group if they were the only owner. 2014-03-09 23:28:49 -04:00			`rules << :destroy`
User can leave group from group page. 2014-02-07 11:59:55 -05:00			`end`
			`if !group.last_owner?(user) && (can_manage \|\| (user == target_user))`
			`rules << :destroy`
			`end`
			`rules`
			`end`
security improved 2011-10-17 06:39:03 -04:00			`end`
init commit 2011-10-08 17:36:38 -04:00			`end`