2016-08-16 23:28:47 +00:00
|
|
|
class GroupPolicy < BasePolicy
|
2017-04-06 21:06:42 +00:00
|
|
|
desc "Group is public"
|
|
|
|
with_options scope: :subject, score: 0
|
|
|
|
condition(:public_group) { @subject.public? }
|
|
|
|
|
|
|
|
with_score 0
|
|
|
|
condition(:logged_in_viewable) { @user && @subject.internal? && !@user.external? }
|
|
|
|
|
|
|
|
condition(:has_access) { access_level != GroupMember::NO_ACCESS }
|
2016-08-16 23:28:47 +00:00
|
|
|
|
2017-04-06 21:06:42 +00:00
|
|
|
condition(:guest) { access_level >= GroupMember::GUEST }
|
2017-09-13 20:32:58 +00:00
|
|
|
condition(:developer) { access_level >= GroupMember::DEVELOPER }
|
2017-04-06 21:06:42 +00:00
|
|
|
condition(:owner) { access_level >= GroupMember::OWNER }
|
|
|
|
condition(:master) { access_level >= GroupMember::MASTER }
|
|
|
|
condition(:reporter) { access_level >= GroupMember::REPORTER }
|
2016-08-16 23:28:47 +00:00
|
|
|
|
2017-08-09 10:58:00 +00:00
|
|
|
condition(:nested_groups_supported, scope: :global) { Group.supports_nested_groups? }
|
|
|
|
|
2017-09-07 16:42:15 +00:00
|
|
|
condition(:has_parent, scope: :subject) { @subject.has_parent? }
|
2017-09-06 18:31:45 +00:00
|
|
|
condition(:share_with_group_locked, scope: :subject) { @subject.share_with_group_lock? }
|
|
|
|
condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? }
|
2017-09-07 16:42:15 +00:00
|
|
|
condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) }
|
2017-09-02 01:00:46 +00:00
|
|
|
|
2017-04-06 21:06:42 +00:00
|
|
|
condition(:has_projects) do
|
2017-03-03 10:35:04 +00:00
|
|
|
GroupProjectsFinder.new(group: @subject, current_user: @user).execute.any?
|
2016-08-16 23:28:47 +00:00
|
|
|
end
|
2017-04-06 21:06:42 +00:00
|
|
|
|
|
|
|
with_options scope: :subject, score: 0
|
|
|
|
condition(:request_access_enabled) { @subject.request_access_enabled }
|
|
|
|
|
|
|
|
rule { public_group } .enable :read_group
|
|
|
|
rule { logged_in_viewable }.enable :read_group
|
2017-12-06 11:36:11 +00:00
|
|
|
|
|
|
|
rule { guest }.policy do
|
|
|
|
enable :read_group
|
|
|
|
enable :upload_file
|
|
|
|
end
|
|
|
|
|
2017-04-06 21:06:42 +00:00
|
|
|
rule { admin } .enable :read_group
|
|
|
|
rule { has_projects } .enable :read_group
|
|
|
|
|
2017-11-23 14:47:15 +00:00
|
|
|
rule { has_access }.enable :read_namespace
|
|
|
|
|
2017-09-13 20:32:58 +00:00
|
|
|
rule { developer }.enable :admin_milestones
|
2017-04-06 21:06:42 +00:00
|
|
|
rule { reporter }.enable :admin_label
|
|
|
|
|
|
|
|
rule { master }.policy do
|
|
|
|
enable :create_projects
|
2017-05-03 18:51:55 +00:00
|
|
|
enable :admin_pipeline
|
|
|
|
enable :admin_build
|
2017-04-06 21:06:42 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
rule { owner }.policy do
|
|
|
|
enable :admin_group
|
|
|
|
enable :admin_namespace
|
|
|
|
enable :admin_group_member
|
|
|
|
enable :change_visibility_level
|
|
|
|
end
|
|
|
|
|
2017-09-07 18:35:45 +00:00
|
|
|
rule { owner & nested_groups_supported }.enable :create_subgroup
|
2017-04-06 21:06:42 +00:00
|
|
|
|
|
|
|
rule { public_group | logged_in_viewable }.enable :view_globally
|
|
|
|
|
|
|
|
rule { default }.enable(:request_access)
|
|
|
|
|
|
|
|
rule { ~request_access_enabled }.prevent :request_access
|
|
|
|
rule { ~can?(:view_globally) }.prevent :request_access
|
|
|
|
rule { has_access }.prevent :request_access
|
|
|
|
|
2017-09-07 16:42:15 +00:00
|
|
|
rule { owner & (~share_with_group_locked | ~has_parent | ~parent_share_with_group_locked | can_change_parent_share_with_group_lock) }.enable :change_share_with_group_lock
|
2017-09-02 01:00:46 +00:00
|
|
|
|
2017-04-06 21:06:42 +00:00
|
|
|
def access_level
|
|
|
|
return GroupMember::NO_ACCESS if @user.nil?
|
|
|
|
|
|
|
|
@access_level ||= @subject.max_member_access_for_user(@user)
|
|
|
|
end
|
2016-08-16 23:28:47 +00:00
|
|
|
end
|