use a magic default :global symbol instead of nil
to make sure we mean the global permissions
This commit is contained in:
parent
130fd255bc
commit
846e581732
|
@ -90,7 +90,7 @@ class ApplicationController < ActionController::Base
|
|||
current_application_settings.after_sign_out_path.presence || new_user_session_path
|
||||
end
|
||||
|
||||
def can?(object, action, subject)
|
||||
def can?(object, action, subject = :global)
|
||||
Ability.allowed?(object, action, subject)
|
||||
end
|
||||
|
||||
|
|
|
@ -118,7 +118,7 @@ class GroupsController < Groups::ApplicationController
|
|||
end
|
||||
|
||||
def authorize_create_group!
|
||||
unless can?(current_user, :create_group, nil)
|
||||
unless can?(current_user, :create_group)
|
||||
return render_404
|
||||
end
|
||||
end
|
||||
|
|
|
@ -56,15 +56,16 @@ class Ability
|
|||
end
|
||||
end
|
||||
|
||||
def allowed?(user, action, subject)
|
||||
def allowed?(user, action, subject = :global)
|
||||
allowed(user, subject).include?(action)
|
||||
end
|
||||
|
||||
def allowed(user, subject)
|
||||
def allowed(user, subject = :global)
|
||||
return BasePolicy::RuleSet.none if subject.nil?
|
||||
return uncached_allowed(user, subject) unless RequestStore.active?
|
||||
|
||||
user_key = user ? user.id : 'anonymous'
|
||||
subject_key = subject ? "#{subject.class.name}/#{subject.id}" : 'global'
|
||||
subject_key = subject == :global ? 'global' : "#{subject.class.name}/#{subject.id}"
|
||||
key = "/ability/#{user_key}/#{subject_key}"
|
||||
RequestStore[key] ||= uncached_allowed(user, subject).freeze
|
||||
end
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
class Guest
|
||||
class << self
|
||||
def can?(action, subject)
|
||||
def can?(action, subject = :global)
|
||||
Ability.allowed?(nil, action, subject)
|
||||
end
|
||||
end
|
||||
|
|
|
@ -563,14 +563,14 @@ class User < ActiveRecord::Base
|
|||
end
|
||||
|
||||
def can_create_group?
|
||||
can?(:create_group, nil)
|
||||
can?(:create_group)
|
||||
end
|
||||
|
||||
def can_select_namespace?
|
||||
several_namespaces? || admin
|
||||
end
|
||||
|
||||
def can?(action, subject)
|
||||
def can?(action, subject = :global)
|
||||
Ability.allowed?(self, action, subject)
|
||||
end
|
||||
|
||||
|
|
|
@ -12,6 +12,10 @@ class BasePolicy
|
|||
new(Set.new, Set.new)
|
||||
end
|
||||
|
||||
def self.none
|
||||
empty.freeze
|
||||
end
|
||||
|
||||
def can?(ability)
|
||||
@can_set.include?(ability) && !@cannot_set.include?(ability)
|
||||
end
|
||||
|
@ -49,7 +53,8 @@ class BasePolicy
|
|||
end
|
||||
|
||||
def self.class_for(subject)
|
||||
return GlobalPolicy if subject.nil?
|
||||
return GlobalPolicy if subject == :global
|
||||
raise ArgumentError, 'no policy for nil' if subject.nil?
|
||||
|
||||
if subject.class.try(:presenter?)
|
||||
subject = subject.subject
|
||||
|
@ -79,7 +84,7 @@ class BasePolicy
|
|||
end
|
||||
|
||||
def abilities
|
||||
return RuleSet.empty if @user && @user.blocked?
|
||||
return RuleSet.none if @user && @user.blocked?
|
||||
return anonymous_abilities if @user.nil?
|
||||
collect_rules { rules }
|
||||
end
|
||||
|
|
|
@ -116,7 +116,7 @@ module API
|
|||
forbidden! unless current_user.is_admin?
|
||||
end
|
||||
|
||||
def authorize!(action, subject = nil)
|
||||
def authorize!(action, subject = :global)
|
||||
forbidden! unless can?(current_user, action, subject)
|
||||
end
|
||||
|
||||
|
@ -134,7 +134,7 @@ module API
|
|||
end
|
||||
end
|
||||
|
||||
def can?(object, action, subject)
|
||||
def can?(object, action, subject = :global)
|
||||
Ability.allowed?(object, action, subject)
|
||||
end
|
||||
|
||||
|
|
|
@ -45,7 +45,7 @@ module API
|
|||
use :pagination
|
||||
end
|
||||
get do
|
||||
unless can?(current_user, :read_users_list, nil)
|
||||
unless can?(current_user, :read_users_list)
|
||||
render_api_error!("Not authorized.", 403)
|
||||
end
|
||||
|
||||
|
|
|
@ -210,7 +210,7 @@ module Banzai
|
|||
grouped_objects_for_nodes(nodes, Project, 'data-project')
|
||||
end
|
||||
|
||||
def can?(user, permission, subject)
|
||||
def can?(user, permission, subject = :global)
|
||||
Ability.allowed?(user, permission, subject)
|
||||
end
|
||||
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
module Gitlab
|
||||
module Allowable
|
||||
def can?(user, action, subject)
|
||||
def can?(user, action, subject = :global)
|
||||
Ability.allowed?(user, action, subject)
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue