gitlab-org--gitlab-foss/app/policies/project_snippet_policy.rb

# frozen_string_literal: true

class ProjectSnippetPolicy < BasePolicy
  delegate :project

  desc "Snippet is public"
  condition(:public_snippet, scope: :subject) { @subject.public? }
  condition(:internal_snippet, scope: :subject) { @subject.internal? }
  condition(:private_snippet, scope: :subject) { @subject.private? }
  condition(:public_project, scope: :subject) { @subject.project.public? }

  condition(:is_author) { @user && @subject.author == @user }

  # We have to check both project feature visibility and a snippet visibility and take the stricter one
  # This will be simplified - check https://gitlab.com/gitlab-org/gitlab-ce/issues/27573
  rule { ~can?(:read_project) }.policy do
    prevent :read_project_snippet
    prevent :update_project_snippet
    prevent :admin_project_snippet
  end

  # we have to use this complicated prevent because the delegated project policy
  # is overly greedy in allowing :read_project_snippet, since it doesn't have any
  # information about the snippet. However, :read_project_snippet on the *project*
  # is used to hide/show various snippet-related controls, so we can't just move
  # all of the handling here.
  rule do
    all?(private_snippet | (internal_snippet & external_user),
         ~project.guest,
         ~is_author,
         ~full_private_access)
  end.prevent :read_project_snippet

  rule { internal_snippet & ~is_author & ~admin }.policy do
    prevent :update_project_snippet
    prevent :admin_project_snippet
  end

  rule { public_snippet }.enable :read_project_snippet

  rule { is_author | admin }.policy do
    enable :read_project_snippet
    enable :update_project_snippet
    enable :admin_project_snippet
  end

  rule { ~can?(:read_project_snippet) }.prevent :create_note
end
Enable frozen string in presenters and policies Enable frozen string in: * app/presenters * app/policies Partially addresses #47424. 2018-07-24 06:00:56 -04:00			`# frozen_string_literal: true`

port notes and project snippets 2016-08-16 16:08:14 -04:00			`class ProjectSnippetPolicy < BasePolicy`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`delegate :project`

			`desc "Snippet is public"`
			`condition(:public_snippet, scope: :subject) { @subject.public? }`
Make ProjectSnippetPolicy EE-ready Signed-off-by: Rémy Coutable <remy@rymai.me> 2018-12-18 11:18:09 -05:00			`condition(:internal_snippet, scope: :subject) { @subject.internal? }`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`condition(:private_snippet, scope: :subject) { @subject.private? }`
			`condition(:public_project, scope: :subject) { @subject.project.public? }`

			`condition(:is_author) { @user && @subject.author == @user }`

			`# We have to check both project feature visibility and a snippet visibility and take the stricter one`
			`# This will be simplified - check https://gitlab.com/gitlab-org/gitlab-ce/issues/27573`
			`rule { ~can?(:read_project) }.policy do`
			`prevent :read_project_snippet`
			`prevent :update_project_snippet`
			`prevent :admin_project_snippet`
			`end`

			`# we have to use this complicated prevent because the delegated project policy`
			`# is overly greedy in allowing :read_project_snippet, since it doesn't have any`
			`# information about the snippet. However, :read_project_snippet on the project`
			`# is used to hide/show various snippet-related controls, so we can't just move`
			`# all of the handling here.`
			`rule do`
Make ProjectSnippetPolicy EE-ready Signed-off-by: Rémy Coutable <remy@rymai.me> 2018-12-18 11:18:09 -05:00			`all?(private_snippet \| (internal_snippet & external_user),`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`~project.guest,`
Make ProjectSnippetPolicy EE-ready Signed-off-by: Rémy Coutable <remy@rymai.me> 2018-12-18 11:18:09 -05:00			`~is_author,`
			`~full_private_access)`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`end.prevent :read_project_snippet`

Make ProjectSnippetPolicy EE-ready Signed-off-by: Rémy Coutable <remy@rymai.me> 2018-12-18 11:18:09 -05:00			`rule { internal_snippet & ~is_author & ~admin }.policy do`
convert all the policies to DeclarativePolicy 2017-04-06 17:06:42 -04:00			`prevent :update_project_snippet`
			`prevent :admin_project_snippet`
			`end`

			`rule { public_snippet }.enable :read_project_snippet`

			`rule { is_author \| admin }.policy do`
			`enable :read_project_snippet`
			`enable :update_project_snippet`
			`enable :admin_project_snippet`
port notes and project snippets 2016-08-16 16:08:14 -04:00			`end`
Prevent comments by email when issue is locked This changes the permission check so it uses the policy on Noteable instead of Project. This prevents bypassing of rules defined in Noteable for locked discussions and confidential issues. Also rechecks permissions when reply_to_discussion_id is provided since the discussion_id may be from a different noteable. 2019-01-15 13:53:24 -05:00
			`rule { ~can?(:read_project_snippet) }.prevent :create_note`
port notes and project snippets 2016-08-16 16:08:14 -04:00			`end`