convert the special-case Ability methods to use policies

2017-04-06 14:07:27 -07:00 · 2017-04-06 14:07:27 -07:00 · e895b49fce
parent 37c401433b
commit e895b49fce
1 changed files with 10 additions and 34 deletions
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@ -1,35 +1,20 @@
+require 'declarative_policy'
+
 class Ability
  class << self
    # Given a list of users and a project this method returns the users that can
    # read the given project.
    def users_that_can_read_project(users, project)
-      if project.public?
-        users
-      else
-        users.select do |user|
-          if user.admin?
-            true
-          elsif project.internal? && !user.external?
-            true
-          elsif project.owner == user
-            true
-          elsif project.team.members.include?(user)
-            true
-          else
-            false
-          end
-        end
+      DeclarativePolicy.subject_scope do
+        users.select { |u| allowed?(u, :read_project, project) }
      end
    end

    # Given a list of users and a snippet this method returns the users that can
    # read the given snippet.
    def users_that_can_read_personal_snippet(users, snippet)
-      case snippet.visibility_level
-      when Snippet::INTERNAL, Snippet::PUBLIC
-        users
-      when Snippet::PRIVATE
-        users.include?(snippet.author) ? [snippet.author] : []
+      DeclarativePolicy.subject_scope do
+        users.select { |u| allowed?(u, :read_personal_snippet, snippet) }
      end
    end

@ -38,22 +23,13 @@ class Ability
    # issues - The issues to reduce down to those readable by the user.
    # user - The User for which to check the issues
    def issues_readable_by_user(issues, user = nil)
-      return issues if user && user.admin?
-
-      issues.select { |issue| issue.visible_to_user?(user) }
+      DeclarativePolicy.user_scope do
+        issues.select { |issue| issue.visible_to_user?(user) }
+      end
    end

-    # TODO: make this private and use the actual abilities stuff for this
    def can_edit_note?(user, note)
-      return false if !note.editable? || !user.present?
-      return true if note.author == user || user.admin?
-
-      if note.project
-        max_access_level = note.project.team.max_member_access(user.id)
-        max_access_level >= Gitlab::Access::MASTER
-      else
-        false
-      end
+      allowed?(user, :edit_note, note)
    end

    def allowed?(user, action, subject = :global, opts = {})