gitlab-org--gitlab-foss/app/policies/identity_provider_policy.rb

# frozen_string_literal: true

class IdentityProviderPolicy < BasePolicy
  desc "Provider is SAML or CAS3"
  condition(:protected_provider, scope: :subject, score: 0) { %w(saml cas3).include?(@subject.to_s) }

  rule { anonymous }.prevent_all

  rule { default }.policy do
    enable :unlink
    enable :link
  end

  rule { protected_provider }.prevent(:unlink)
end
Move out link\unlink ability checks to a policy We can extend the policy in EE for additional behavior 2019-03-18 10:36:34 -04:00			`# frozen_string_literal: true`

			`class IdentityProviderPolicy < BasePolicy`
			`desc "Provider is SAML or CAS3"`
			`condition(:protected_provider, scope: :subject, score: 0) { %w(saml cas3).include?(@subject.to_s) }`

			`rule { anonymous }.prevent_all`

			`rule { default }.policy do`
			`enable :unlink`
			`enable :link`
			`end`

			`rule { protected_provider }.prevent(:unlink)`
			`end`