2018-07-24 06:00:56 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2016-08-16 16:08:14 -04:00
|
|
|
class NotePolicy < BasePolicy
|
2020-03-16 20:09:12 -04:00
|
|
|
include Gitlab::Utils::StrongMemoize
|
|
|
|
|
2020-02-23 22:09:05 -05:00
|
|
|
delegate { @subject.resource_parent }
|
2018-04-06 14:19:37 -04:00
|
|
|
delegate { @subject.noteable if DeclarativePolicy.has_policy?(@subject.noteable) }
|
2016-08-16 16:08:14 -04:00
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
condition(:is_author) { @user && @subject.author == @user }
|
2020-11-05 01:08:56 -05:00
|
|
|
condition(:is_noteable_author) { @user && @subject.noteable.try(:author_id) == @user.id }
|
2016-08-16 16:08:14 -04:00
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
condition(:editable, scope: :subject) { @subject.editable? }
|
2016-08-16 16:08:14 -04:00
|
|
|
|
2019-10-16 23:55:04 -04:00
|
|
|
condition(:can_read_noteable) { can?(:"read_#{@subject.noteable_ability_name}") }
|
2020-03-17 17:09:16 -04:00
|
|
|
condition(:commit_is_deleted) { @subject.for_commit? && @subject.noteable.blank? }
|
2018-11-28 14:04:15 -05:00
|
|
|
|
2020-11-05 01:08:56 -05:00
|
|
|
condition(:for_design) { @subject.for_design? }
|
|
|
|
|
2022-02-11 10:14:00 -05:00
|
|
|
condition(:is_visible) { @subject.system_note_visible_for?(@user) }
|
2019-09-18 04:26:20 -04:00
|
|
|
|
2020-03-16 20:09:12 -04:00
|
|
|
condition(:confidential, scope: :subject) { @subject.confidential? }
|
|
|
|
|
|
|
|
condition(:can_read_confidential) do
|
2020-03-27 05:08:28 -04:00
|
|
|
access_level >= Gitlab::Access::REPORTER || @subject.noteable_assignee_or_author?(@user) || admin?
|
2020-03-16 20:09:12 -04:00
|
|
|
end
|
|
|
|
|
2018-04-02 13:05:47 -04:00
|
|
|
rule { ~editable }.prevent :admin_note
|
2017-04-06 17:06:42 -04:00
|
|
|
|
2018-11-28 14:04:15 -05:00
|
|
|
# If user can't read the issue/MR/etc then they should not be allowed to do anything to their own notes
|
|
|
|
rule { ~can_read_noteable }.policy do
|
|
|
|
prevent :admin_note
|
|
|
|
prevent :resolve_note
|
2020-11-05 01:08:56 -05:00
|
|
|
prevent :reposition_note
|
2019-01-15 03:21:28 -05:00
|
|
|
prevent :award_emoji
|
2018-11-28 14:04:15 -05:00
|
|
|
end
|
|
|
|
|
2020-03-17 17:09:16 -04:00
|
|
|
# Special rule for deleted commits
|
|
|
|
rule { ~(can_read_noteable | commit_is_deleted) }.policy do
|
|
|
|
prevent :read_note
|
|
|
|
end
|
|
|
|
|
2017-04-06 17:06:42 -04:00
|
|
|
rule { is_author }.policy do
|
|
|
|
enable :read_note
|
|
|
|
enable :admin_note
|
|
|
|
enable :resolve_note
|
|
|
|
end
|
|
|
|
|
2019-09-18 04:26:20 -04:00
|
|
|
rule { ~is_visible }.policy do
|
|
|
|
prevent :read_note
|
|
|
|
prevent :admin_note
|
|
|
|
prevent :resolve_note
|
2020-11-05 01:08:56 -05:00
|
|
|
prevent :reposition_note
|
2019-09-18 04:26:20 -04:00
|
|
|
prevent :award_emoji
|
|
|
|
end
|
|
|
|
|
2018-04-02 14:38:47 -04:00
|
|
|
rule { is_noteable_author }.policy do
|
2017-04-06 17:06:42 -04:00
|
|
|
enable :resolve_note
|
2016-08-16 16:08:14 -04:00
|
|
|
end
|
2020-03-16 20:09:12 -04:00
|
|
|
|
2021-02-24 07:10:54 -05:00
|
|
|
rule { can_read_confidential }.policy do
|
|
|
|
enable :mark_note_as_confidential
|
|
|
|
end
|
|
|
|
|
2020-03-16 20:09:12 -04:00
|
|
|
rule { confidential & ~can_read_confidential }.policy do
|
|
|
|
prevent :read_note
|
|
|
|
prevent :admin_note
|
|
|
|
prevent :resolve_note
|
2020-11-05 01:08:56 -05:00
|
|
|
prevent :reposition_note
|
2020-03-16 20:09:12 -04:00
|
|
|
prevent :award_emoji
|
|
|
|
end
|
|
|
|
|
2020-11-05 01:08:56 -05:00
|
|
|
rule { can?(:admin_note) | (for_design & can?(:create_note)) }.policy do
|
|
|
|
enable :reposition_note
|
|
|
|
end
|
|
|
|
|
2020-03-16 20:09:12 -04:00
|
|
|
def parent_namespace
|
|
|
|
strong_memoize(:parent_namespace) do
|
|
|
|
next if @subject.is_a?(PersonalSnippet)
|
2021-03-18 17:09:00 -04:00
|
|
|
next @subject.noteable.group if @subject.noteable.is_a?(Epic)
|
2020-03-16 20:09:12 -04:00
|
|
|
|
|
|
|
@subject.project
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def access_level
|
|
|
|
return -1 if @user.nil?
|
|
|
|
return -1 unless parent_namespace
|
|
|
|
|
|
|
|
lookup_access_level!
|
|
|
|
end
|
|
|
|
|
|
|
|
def lookup_access_level!
|
|
|
|
return ::Gitlab::Access::REPORTER if alert_bot?
|
|
|
|
|
|
|
|
if parent_namespace.is_a?(Project)
|
|
|
|
parent_namespace.team.max_member_access(@user.id)
|
|
|
|
else
|
|
|
|
parent_namespace.max_member_access_for_user(@user)
|
|
|
|
end
|
|
|
|
end
|
2016-08-16 16:08:14 -04:00
|
|
|
end
|