gitlab-org--gitlab-foss/app/policies/base_policy.rb

# frozen_string_literal: true

require_dependency 'declarative_policy'

class BasePolicy < DeclarativePolicy::Base
  desc "User is an instance admin"
  with_options scope: :user, score: 0
  condition(:admin) do
    if Feature.enabled?(:user_mode_in_session)
      Gitlab::Auth::CurrentUserMode.new(@user).admin_mode?
    else
      @user&.admin?
    end
  end

  desc "User is blocked"
  with_options scope: :user, score: 0
  condition(:blocked) { @user&.blocked? }

  desc "User is deactivated"
  with_options scope: :user, score: 0
  condition(:deactivated) { @user&.deactivated? }

  desc "User email is unconfirmed or user account is locked"
  with_options scope: :user, score: 0
  condition(:inactive) do
    Feature.enabled?(:inactive_policy_condition, default_enabled: true) &&
      @user &&
      !@user&.active_for_authentication?
  end

  with_options scope: :user, score: 0
  condition(:external_user) { @user.nil? || @user.external? }

  with_options scope: :user, score: 0
  condition(:can_create_group) { @user&.can_create_group }

  desc "The application is restricted from public visibility"
  condition(:restricted_public_level, scope: :global) do
    Gitlab::CurrentSettings.current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
  end

  condition(:external_authorization_enabled, scope: :global, score: 0) do
    ::Gitlab::ExternalAuthorization.perform_check?
  end

  rule { external_authorization_enabled & ~can?(:read_all_resources) }.policy do
    prevent :read_cross_project
  end

  # Policy extended in EE to also enable auditors
  rule { admin }.enable :read_all_resources

  rule { default }.enable :read_cross_project
end

BasePolicy.prepend_if_ee('EE::BasePolicy')
Enable frozen string in presenters and policies Enable frozen string in: * app/presenters * app/policies Partially addresses #47424. 2018-07-24 10:00:56 +00:00			`# frozen_string_literal: true`

bugfix: use `require_dependency` to bring in DeclarativePolicy 2017-06-29 18:57:59 +00:00			`require_dependency 'declarative_policy'`
add automatic detection of the policy class 2016-08-16 19:55:44 +00:00
convert all the policies to DeclarativePolicy 2017-04-06 21:06:42 +00:00			`class BasePolicy < DeclarativePolicy::Base`
			`desc "User is an instance admin"`
			`with_options scope: :user, score: 0`
Add latest changes from gitlab-org/gitlab@master 2019-09-26 12:06:00 +00:00			`condition(:admin) do`
			`if Feature.enabled?(:user_mode_in_session)`
			`Gitlab::Auth::CurrentUserMode.new(@user).admin_mode?`
			`else`
			`@user&.admin?`
			`end`
			`end`
add policies, and factor out ProjectPolicy 2016-08-11 22:12:52 +00:00
preventing blocked users and their PipelineSchdules from creating new Pipelines updated several specs and factories to accomodate new permissions 2019-04-11 15:21:18 +00:00			`desc "User is blocked"`
			`with_options scope: :user, score: 0`
			`condition(:blocked) { @user&.blocked? }`

Add latest changes from gitlab-org/gitlab@master 2019-10-10 00:06:44 +00:00			`desc "User is deactivated"`
			`with_options scope: :user, score: 0`
			`condition(:deactivated) { @user&.deactivated? }`

Add latest changes from gitlab-org/gitlab@master 2020-01-30 21:08:47 +00:00			`desc "User email is unconfirmed or user account is locked"`
			`with_options scope: :user, score: 0`
			`condition(:inactive) do`
			`Feature.enabled?(:inactive_policy_condition, default_enabled: true) &&`
			`@user &&`
			`!@user&.active_for_authentication?`
			`end`

convert all the policies to DeclarativePolicy 2017-04-06 21:06:42 +00:00			`with_options scope: :user, score: 0`
			`condition(:external_user) { @user.nil? \|\| @user.external? }`
add support for anonymous abilities 2016-08-12 18:36:16 +00:00
convert all the policies to DeclarativePolicy 2017-04-06 21:06:42 +00:00			`with_options scope: :user, score: 0`
			`condition(:can_create_group) { @user&.can_create_group }`
Implement review comments for !12445 from @godfat and @rymai. - Use `GlobalPolicy` to authorize the users that a non-authenticated user can fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC` visibility level is not restricted. - Further, as before, `/api/v4/users` is only accessible to unauthenticated users if the `username` parameter is passed. - Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual route + method, rather than the description. - Change the type of `current_user` check in `UsersFinder` to be more compatible with EE. 2017-06-29 07:43:41 +00:00
Merge remote-tracking branch 'origin/master' into 34141-allow-unauthenticated-access-to-the-users-api - Modify policy code to work with the `DeclarativePolicy` refactor in 37c401433b76170f0150d70865f1f4584db01fa8. 2017-06-30 13:29:34 +00:00			`desc "The application is restricted from public visibility"`
			`condition(:restricted_public_level, scope: :global) do`
`current_application_settings` belongs on `Gitlab::CurrentSettings` The initializers including this were doing so at the top level, so every object loaded after them had a `current_application_settings` method. However, if someone had rack-attack enabled (which was loaded before these initializers), it would try to load the API, and fail, because `Gitlab::CurrentSettings` didn't have that method. To fix this: 1. Don't include `Gitlab::CurrentSettings` at the top level. We do not need `Object.new.current_application_settings` to work. 2. Make `Gitlab::CurrentSettings` explicitly `extend self`, as we already use it like that in several places. 3. Change the initializers to use that new form. 2017-08-31 09:47:03 +00:00			`Gitlab::CurrentSettings.current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)`
Implement review comments for !12445 from @godfat and @rymai. - Use `GlobalPolicy` to authorize the users that a non-authenticated user can fetch from `/api/v4/users`. We allow access if the `Gitlab::VisibilityLevel::PUBLIC` visibility level is not restricted. - Further, as before, `/api/v4/users` is only accessible to unauthenticated users if the `username` parameter is passed. - Turn off `authenticate!` for the `/api/v4/users` endpoint by matching on the actual route + method, rather than the description. - Change the type of `current_user` check in `UsersFinder` to be more compatible with EE. 2017-06-29 07:43:41 +00:00			`end`
Port `read_cross_project` ability from EE 2017-12-11 14:21:06 +00:00
Move Contribution Analytics related spec in spec/features/groups/group_page_with_external_authorization_service_spec to EE 2019-04-09 15:38:58 +00:00			`condition(:external_authorization_enabled, scope: :global, score: 0) do`
			`::Gitlab::ExternalAuthorization.perform_check?`
			`end`

Add latest changes from gitlab-org/gitlab@master 2019-11-06 18:06:29 +00:00			`rule { external_authorization_enabled & ~can?(:read_all_resources) }.policy do`
Move Contribution Analytics related spec in spec/features/groups/group_page_with_external_authorization_service_spec to EE 2019-04-09 15:38:58 +00:00			`prevent :read_cross_project`
			`end`

Add latest changes from gitlab-org/gitlab@master 2019-12-17 09:07:48 +00:00			`# Policy extended in EE to also enable auditors`
Add latest changes from gitlab-org/gitlab@master 2019-11-06 18:06:29 +00:00			`rule { admin }.enable :read_all_resources`

Port `read_cross_project` ability from EE 2017-12-11 14:21:06 +00:00			`rule { default }.enable :read_cross_project`
add policies, and factor out ProjectPolicy 2016-08-11 22:12:52 +00:00			`end`
Add latest changes from gitlab-org/gitlab@master 2019-09-13 13:26:31 +00:00
			`BasePolicy.prepend_if_ee('EE::BasePolicy')`