gitlab-org--gitlab-foss/app/policies/user_policy.rb

# frozen_string_literal: true

class UserPolicy < BasePolicy
  desc "The current user is the user in question"
  condition(:user_is_self, score: 0) { @subject == @user }

  desc "This is the ghost user"
  condition(:subject_ghost, scope: :subject, score: 0) { @subject.ghost? }

  desc "The profile is private"
  condition(:private_profile, scope: :subject, score: 0) { @subject.private_profile? }

  desc "The user is blocked"
  condition(:blocked_user, scope: :subject, score: 0) { @subject.blocked? }

  rule { ~restricted_public_level }.enable :read_user
  rule { ~anonymous }.enable :read_user

  rule { ~subject_ghost & (user_is_self | admin) }.policy do
    enable :destroy_user
    enable :update_user
    enable :update_user_status
    enable :read_user_personal_access_tokens
    enable :read_group_count
  end

  rule { default }.enable :read_user_profile
  rule { (private_profile | blocked_user) & ~(user_is_self | admin) }.prevent :read_user_profile
  rule { user_is_self | admin }.enable :disable_two_factor
  rule { (user_is_self | admin) & ~blocked }.enable :create_user_personal_access_token
end

UserPolicy.prepend_if_ee('EE::UserPolicy')
Enable frozen string in presenters and policies Enable frozen string in: * app/presenters * app/policies Partially addresses #47424. 2018-07-24 06:00:56 -04:00			`# frozen_string_literal: true`

port UserPolicy 2016-08-18 12:59:17 -04:00			`class UserPolicy < BasePolicy`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`desc "The current user is the user in question"`
			`condition(:user_is_self, score: 0) { @subject == @user }`
Don't allow deleting a ghost user. - Add a `destroy_user` ability. This didn't exist before, and was implicit in other abilities (only admins could access the admin area, so only they could destroy all users; a user can only access their own account page, and so can destroy only themselves). - Grant this ability to admins, and when the current user is trying to destroy themselves. Disallow destroying ghost users in all cases. - Modify the `Users::DestroyService` to check this ability. Also check it in views to decide whether or not to show the "Delete User" button. - Add a short summary of the Ghost User to the bio. 2017-02-17 09:58:12 -05:00
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`desc "This is the ghost user"`
			`condition(:subject_ghost, scope: :subject, score: 0) { @subject.ghost? }`
Don't allow deleting a ghost user. - Add a `destroy_user` ability. This didn't exist before, and was implicit in other abilities (only admins could access the admin area, so only they could destroy all users; a user can only access their own account page, and so can destroy only themselves). - Grant this ability to admins, and when the current user is trying to destroy themselves. Disallow destroying ghost users in all cases. - Modify the `Users::DestroyService` to check this ability. Also check it in views to decide whether or not to show the "Delete User" button. - Add a short summary of the Ghost User to the bio. 2017-02-17 09:58:12 -05:00
Add an option to have a private profile on GitLab 2018-07-24 08:46:19 -04:00			`desc "The profile is private"`
			`condition(:private_profile, scope: :subject, score: 0) { @subject.private_profile? }`

Add latest changes from gitlab-org/gitlab@master 2019-12-16 13:08:22 -05:00			`desc "The user is blocked"`
			`condition(:blocked_user, scope: :subject, score: 0) { @subject.blocked? }`

convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`rule { ~restricted_public_level }.enable :read_user`
			`rule { ~anonymous }.enable :read_user`

Make the user dropdown reusable We will reuse the the dropdown, but exclude some menu items based on permissions. So moving the menu to a partial, and adding checks for each menu item here. 2018-04-25 10:54:26 -04:00			`rule { ~subject_ghost & (user_is_self \| admin) }.policy do`
			`enable :destroy_user`
			`enable :update_user`
Allow users to set a status This can be done trough the API for the current user, or on the profile page. 2018-07-13 11:52:31 -04:00			`enable :update_user_status`
Add latest changes from gitlab-org/gitlab@master 2020-08-06 17:10:15 -04:00			`enable :read_user_personal_access_tokens`
Add latest changes from gitlab-org/gitlab@master 2020-10-30 14:08:56 -04:00			`enable :read_group_count`
Make the user dropdown reusable We will reuse the the dropdown, but exclude some menu items based on permissions. So moving the menu to a partial, and adding checks for each menu item here. 2018-04-25 10:54:26 -04:00			`end`
Add an option to have a private profile on GitLab 2018-07-24 08:46:19 -04:00
			`rule { default }.enable :read_user_profile`
Add latest changes from gitlab-org/gitlab@master 2019-12-16 13:08:22 -05:00			`rule { (private_profile \| blocked_user) & ~(user_is_self \| admin) }.prevent :read_user_profile`
Add latest changes from gitlab-org/gitlab@master 2020-08-20 11:10:18 -04:00			`rule { user_is_self \| admin }.enable :disable_two_factor`
Add latest changes from gitlab-org/gitlab@master 2020-11-09 07:09:24 -05:00			`rule { (user_is_self \| admin) & ~blocked }.enable :create_user_personal_access_token`
port UserPolicy 2016-08-18 12:59:17 -04:00			`end`
Add latest changes from gitlab-org/gitlab@master 2020-01-16 04:08:46 -05:00
			`UserPolicy.prepend_if_ee('EE::UserPolicy')`