Add User#full_private_access? to check if user has Private access
In CE only the admin has access to all private groups & projects. In EE also an auditor can have full private access. To overcome merge conflicts, or accidental incorrect access rights, abstract this out in `User#full_private_access?`. `User#admin?` now only should be used for admin-only features. For private access-related features `User#full_private_access?` should be used. Backported from gitlab-org/gitlab-ee!2199
This commit is contained in:
parent
f09aa6b755
commit
b90f1098cf
|
@ -41,7 +41,7 @@ class IssuesFinder < IssuableFinder
|
||||||
def self.not_restricted_by_confidentiality(user)
|
def self.not_restricted_by_confidentiality(user)
|
||||||
return Issue.where('issues.confidential IS NOT TRUE') if user.blank?
|
return Issue.where('issues.confidential IS NOT TRUE') if user.blank?
|
||||||
|
|
||||||
return Issue.all if user.admin?
|
return Issue.all if user.full_private_access?
|
||||||
|
|
||||||
Issue.where('
|
Issue.where('
|
||||||
issues.confidential IS NOT TRUE
|
issues.confidential IS NOT TRUE
|
||||||
|
|
|
@ -90,7 +90,7 @@ class ProjectFeature < ActiveRecord::Base
|
||||||
when DISABLED
|
when DISABLED
|
||||||
false
|
false
|
||||||
when PRIVATE
|
when PRIVATE
|
||||||
user && (project.team.member?(user) || user.admin?)
|
user && (project.team.member?(user) || user.full_private_access?)
|
||||||
when ENABLED
|
when ENABLED
|
||||||
true
|
true
|
||||||
else
|
else
|
||||||
|
|
|
@ -984,6 +984,12 @@ class User < ActiveRecord::Base
|
||||||
self.admin = (new_level == 'admin')
|
self.admin = (new_level == 'admin')
|
||||||
end
|
end
|
||||||
|
|
||||||
|
# Does the user have access to all private groups & projects?
|
||||||
|
# Overridden in EE to also check auditor?
|
||||||
|
def full_private_access?
|
||||||
|
admin?
|
||||||
|
end
|
||||||
|
|
||||||
def update_two_factor_requirement
|
def update_two_factor_requirement
|
||||||
periods = expanded_groups_requiring_two_factor_authentication.pluck(:two_factor_grace_period)
|
periods = expanded_groups_requiring_two_factor_authentication.pluck(:two_factor_grace_period)
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
---
|
||||||
|
title: Add User#full_private_access? to check if user has access to all private groups & projects
|
||||||
|
merge_request: 12373
|
||||||
|
author:
|
|
@ -28,7 +28,7 @@ module Gitlab
|
||||||
def levels_for_user(user = nil)
|
def levels_for_user(user = nil)
|
||||||
return [PUBLIC] unless user
|
return [PUBLIC] unless user
|
||||||
|
|
||||||
if user.admin?
|
if user.full_private_access?
|
||||||
[PRIVATE, INTERNAL, PUBLIC]
|
[PRIVATE, INTERNAL, PUBLIC]
|
||||||
elsif user.external?
|
elsif user.external?
|
||||||
[PUBLIC]
|
[PUBLIC]
|
||||||
|
|
|
@ -21,7 +21,7 @@ describe Gitlab::VisibilityLevel, lib: true do
|
||||||
|
|
||||||
describe '.levels_for_user' do
|
describe '.levels_for_user' do
|
||||||
it 'returns all levels for an admin' do
|
it 'returns all levels for an admin' do
|
||||||
user = double(:user, admin?: true)
|
user = build(:user, :admin)
|
||||||
|
|
||||||
expect(described_class.levels_for_user(user))
|
expect(described_class.levels_for_user(user))
|
||||||
.to eq([Gitlab::VisibilityLevel::PRIVATE,
|
.to eq([Gitlab::VisibilityLevel::PRIVATE,
|
||||||
|
@ -30,7 +30,7 @@ describe Gitlab::VisibilityLevel, lib: true do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'returns INTERNAL and PUBLIC for internal users' do
|
it 'returns INTERNAL and PUBLIC for internal users' do
|
||||||
user = double(:user, admin?: false, external?: false)
|
user = build(:user)
|
||||||
|
|
||||||
expect(described_class.levels_for_user(user))
|
expect(described_class.levels_for_user(user))
|
||||||
.to eq([Gitlab::VisibilityLevel::INTERNAL,
|
.to eq([Gitlab::VisibilityLevel::INTERNAL,
|
||||||
|
@ -38,7 +38,7 @@ describe Gitlab::VisibilityLevel, lib: true do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'returns PUBLIC for external users' do
|
it 'returns PUBLIC for external users' do
|
||||||
user = double(:user, admin?: false, external?: true)
|
user = build(:user, :external)
|
||||||
|
|
||||||
expect(described_class.levels_for_user(user))
|
expect(described_class.levels_for_user(user))
|
||||||
.to eq([Gitlab::VisibilityLevel::PUBLIC])
|
.to eq([Gitlab::VisibilityLevel::PUBLIC])
|
||||||
|
|
|
@ -1733,6 +1733,20 @@ describe User, models: true do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe '#full_private_access?' do
|
||||||
|
it 'returns false for regular user' do
|
||||||
|
user = build(:user)
|
||||||
|
|
||||||
|
expect(user.full_private_access?).to be_falsy
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'returns true for admin user' do
|
||||||
|
user = build(:user, :admin)
|
||||||
|
|
||||||
|
expect(user.full_private_access?).to be_truthy
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe '.ghost' do
|
describe '.ghost' do
|
||||||
it "creates a ghost user if one isn't already present" do
|
it "creates a ghost user if one isn't already present" do
|
||||||
ghost = User.ghost
|
ghost = User.ghost
|
||||||
|
|
Loading…
Reference in New Issue