2011-10-08 17:36:38 -04:00
|
|
|
class Ability
|
2012-10-08 20:10:04 -04:00
|
|
|
class << self
|
2013-01-25 04:30:49 -05:00
|
|
|
def allowed(user, subject)
|
|
|
|
|
return [] unless user.kind_of?(User)
|
|
|
|
|
|
2012-10-08 20:10:04 -04:00
|
|
|
case subject.class.name
|
2013-01-25 04:30:49 -05:00
|
|
|
when "Project" then project_abilities(user, subject)
|
|
|
|
|
when "Issue" then issue_abilities(user, subject)
|
|
|
|
|
when "Note" then note_abilities(user, subject)
|
2013-03-24 14:31:14 -04:00
|
|
|
when "ProjectSnippet" then project_snippet_abilities(user, subject)
|
2013-03-24 18:17:03 -04:00
|
|
|
when "PersonalSnippet" then personal_snippet_abilities(user, subject)
|
2013-01-25 04:30:49 -05:00
|
|
|
when "MergeRequest" then merge_request_abilities(user, subject)
|
|
|
|
|
when "Group", "Namespace" then group_abilities(user, subject)
|
|
|
|
|
when "UserTeam" then user_team_abilities(user, subject)
|
2012-10-08 20:10:04 -04:00
|
|
|
else []
|
2013-01-25 04:30:49 -05:00
|
|
|
end.concat(global_abilities(user))
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def global_abilities(user)
|
|
|
|
|
rules = []
|
|
|
|
|
rules << :create_group if user.can_create_group
|
|
|
|
|
rules << :create_team if user.can_create_team
|
|
|
|
|
rules
|
2011-10-08 17:36:38 -04:00
|
|
|
end
|
|
|
|
|
|
2012-10-08 20:10:04 -04:00
|
|
|
def project_abilities(user, project)
|
|
|
|
|
rules = []
|
2011-10-08 17:36:38 -04:00
|
|
|
|
2013-01-03 14:09:18 -05:00
|
|
|
team = project.team
|
|
|
|
|
|
2012-11-28 23:29:11 -05:00
|
|
|
# Rules based on role in project
|
2013-01-03 14:09:18 -05:00
|
|
|
if team.masters.include?(user)
|
2012-12-04 15:06:55 -05:00
|
|
|
rules << project_master_rules
|
2012-11-28 23:29:11 -05:00
|
|
|
|
2013-01-03 14:09:18 -05:00
|
|
|
elsif team.developers.include?(user)
|
2012-11-28 23:29:11 -05:00
|
|
|
rules << project_dev_rules
|
|
|
|
|
|
2013-01-03 14:09:18 -05:00
|
|
|
elsif team.reporters.include?(user)
|
2012-11-28 23:29:11 -05:00
|
|
|
rules << project_report_rules
|
|
|
|
|
|
Internally public projects
Public projects listed in the public section will be linked to the
actual project's page. Public projects now give any user Guest
permissions to the project, allowing them to download the code, read
and create issues, and view anything else in the project's pages.
Ample access tests have been added to the project_access_spec to
verify correct permissions and behavior on public projects.
- Visitors to the site who are not logged in still cannot view the
project's pages.
- Logged-in users visiting a public project where they are not a team
member can create issues, but not snippets. They can view the projects
code, issues, merge requests, etc, just as if they were a Guest member
of the project.
- Since this is a public project, the user is also granted :download_code
permissions, a permission normally reserved for Reporters, since they
can clone the repo anyways and browse commits and branches locally.
2013-05-02 02:52:05 -04:00
|
|
|
elsif team.guests.include?(user) or project.public?
|
2012-11-28 23:29:11 -05:00
|
|
|
rules << project_guest_rules
|
|
|
|
|
end
|
|
|
|
|
|
2013-03-25 04:46:57 -04:00
|
|
|
if project.owner == user || user.admin?
|
2013-01-02 12:32:34 -05:00
|
|
|
rules << project_admin_rules
|
2012-11-28 23:29:11 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
rules.flatten
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def project_guest_rules
|
|
|
|
|
[
|
2012-10-08 20:10:04 -04:00
|
|
|
:read_project,
|
|
|
|
|
:read_wiki,
|
|
|
|
|
:read_issue,
|
|
|
|
|
:read_milestone,
|
2013-03-25 03:20:14 -04:00
|
|
|
:read_project_snippet,
|
2012-10-08 20:10:04 -04:00
|
|
|
:read_team_member,
|
|
|
|
|
:read_merge_request,
|
|
|
|
|
:read_note,
|
|
|
|
|
:write_project,
|
|
|
|
|
:write_issue,
|
2013-05-02 16:27:40 -04:00
|
|
|
:write_note
|
2012-11-28 23:29:11 -05:00
|
|
|
]
|
|
|
|
|
end
|
2012-02-20 13:16:55 -05:00
|
|
|
|
2012-11-28 23:29:11 -05:00
|
|
|
def project_report_rules
|
|
|
|
|
project_guest_rules + [
|
2012-10-08 20:10:04 -04:00
|
|
|
:download_code,
|
2013-05-02 16:27:40 -04:00
|
|
|
:fork_project
|
2013-03-25 03:20:14 -04:00
|
|
|
:write_project_snippet
|
2012-11-28 23:29:11 -05:00
|
|
|
]
|
|
|
|
|
end
|
2012-02-20 13:16:55 -05:00
|
|
|
|
2012-11-28 23:29:11 -05:00
|
|
|
def project_dev_rules
|
|
|
|
|
project_report_rules + [
|
2013-01-21 07:16:48 -05:00
|
|
|
:write_merge_request,
|
2012-10-21 05:12:14 -04:00
|
|
|
:write_wiki,
|
|
|
|
|
:push_code
|
2012-11-28 23:29:11 -05:00
|
|
|
]
|
|
|
|
|
end
|
2012-10-21 05:12:14 -04:00
|
|
|
|
2012-11-28 23:29:11 -05:00
|
|
|
def project_master_rules
|
|
|
|
|
project_dev_rules + [
|
|
|
|
|
:push_code_to_protected_branches,
|
2012-10-08 20:10:04 -04:00
|
|
|
:modify_issue,
|
2013-03-25 03:20:14 -04:00
|
|
|
:modify_project_snippet,
|
2012-10-08 20:10:04 -04:00
|
|
|
:modify_merge_request,
|
|
|
|
|
:admin_issue,
|
|
|
|
|
:admin_milestone,
|
2013-03-25 03:20:14 -04:00
|
|
|
:admin_project_snippet,
|
2012-10-08 20:10:04 -04:00
|
|
|
:admin_team_member,
|
|
|
|
|
:admin_merge_request,
|
|
|
|
|
:admin_note,
|
2012-12-04 15:06:55 -05:00
|
|
|
:admin_wiki,
|
|
|
|
|
:admin_project
|
2012-11-28 23:29:11 -05:00
|
|
|
]
|
|
|
|
|
end
|
2011-10-08 17:36:38 -04:00
|
|
|
|
2012-11-28 23:29:11 -05:00
|
|
|
def project_admin_rules
|
|
|
|
|
project_master_rules + [
|
2012-12-04 15:06:55 -05:00
|
|
|
:change_namespace,
|
2013-01-16 09:54:01 -05:00
|
|
|
:change_public_mode,
|
2012-12-04 15:48:24 -05:00
|
|
|
:rename_project,
|
|
|
|
|
:remove_project
|
2012-11-28 23:29:11 -05:00
|
|
|
]
|
2012-10-08 20:10:04 -04:00
|
|
|
end
|
2011-10-17 06:39:03 -04:00
|
|
|
|
2012-11-24 15:00:30 -05:00
|
|
|
def group_abilities user, group
|
|
|
|
|
rules = []
|
|
|
|
|
|
2013-01-02 11:57:02 -05:00
|
|
|
# Only group owner and administrators can manage group
|
|
|
|
|
if group.owner == user || user.admin?
|
|
|
|
|
rules << [
|
2013-01-17 10:35:57 -05:00
|
|
|
:manage_group,
|
|
|
|
|
:manage_namespace
|
2013-01-02 11:57:02 -05:00
|
|
|
]
|
|
|
|
|
end
|
2012-11-24 15:00:30 -05:00
|
|
|
|
|
|
|
|
rules.flatten
|
|
|
|
|
end
|
|
|
|
|
|
2013-01-19 12:32:55 -05:00
|
|
|
def user_team_abilities user, team
|
|
|
|
|
rules = []
|
|
|
|
|
|
2013-02-18 07:35:38 -05:00
|
|
|
# Only group owner and administrators can manage team
|
2013-01-19 12:32:55 -05:00
|
|
|
if team.owner == user || team.admin?(user) || user.admin?
|
|
|
|
|
rules << [ :manage_user_team ]
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
if team.owner == user || user.admin?
|
|
|
|
|
rules << [ :admin_user_team ]
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
rules.flatten
|
|
|
|
|
end
|
|
|
|
|
|
2013-03-24 18:17:03 -04:00
|
|
|
[:issue, :note, :project_snippet, :personal_snippet, :merge_request].each do |name|
|
2011-10-17 06:39:03 -04:00
|
|
|
define_method "#{name}_abilities" do |user, subject|
|
|
|
|
|
if subject.author == user
|
|
|
|
|
[
|
|
|
|
|
:"read_#{name}",
|
|
|
|
|
:"write_#{name}",
|
2011-12-15 16:57:46 -05:00
|
|
|
:"modify_#{name}",
|
2011-10-17 06:39:03 -04:00
|
|
|
:"admin_#{name}"
|
|
|
|
|
]
|
2012-02-21 17:31:18 -05:00
|
|
|
elsif subject.respond_to?(:assignee) && subject.assignee == user
|
|
|
|
|
[
|
|
|
|
|
:"read_#{name}",
|
|
|
|
|
:"write_#{name}",
|
|
|
|
|
:"modify_#{name}",
|
|
|
|
|
]
|
2011-10-17 06:39:03 -04:00
|
|
|
else
|
2012-10-08 20:10:04 -04:00
|
|
|
subject.respond_to?(:project) ? project_abilities(user, subject.project) : []
|
2011-10-17 06:39:03 -04:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
2011-10-08 17:36:38 -04:00
|
|
|
end
|
