convert the special-case Ability methods to use policies
This commit is contained in:
parent
37c401433b
commit
e895b49fce
|
@ -1,35 +1,20 @@
|
||||||
|
require 'declarative_policy'
|
||||||
|
|
||||||
class Ability
|
class Ability
|
||||||
class << self
|
class << self
|
||||||
# Given a list of users and a project this method returns the users that can
|
# Given a list of users and a project this method returns the users that can
|
||||||
# read the given project.
|
# read the given project.
|
||||||
def users_that_can_read_project(users, project)
|
def users_that_can_read_project(users, project)
|
||||||
if project.public?
|
DeclarativePolicy.subject_scope do
|
||||||
users
|
users.select { |u| allowed?(u, :read_project, project) }
|
||||||
else
|
|
||||||
users.select do |user|
|
|
||||||
if user.admin?
|
|
||||||
true
|
|
||||||
elsif project.internal? && !user.external?
|
|
||||||
true
|
|
||||||
elsif project.owner == user
|
|
||||||
true
|
|
||||||
elsif project.team.members.include?(user)
|
|
||||||
true
|
|
||||||
else
|
|
||||||
false
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# Given a list of users and a snippet this method returns the users that can
|
# Given a list of users and a snippet this method returns the users that can
|
||||||
# read the given snippet.
|
# read the given snippet.
|
||||||
def users_that_can_read_personal_snippet(users, snippet)
|
def users_that_can_read_personal_snippet(users, snippet)
|
||||||
case snippet.visibility_level
|
DeclarativePolicy.subject_scope do
|
||||||
when Snippet::INTERNAL, Snippet::PUBLIC
|
users.select { |u| allowed?(u, :read_personal_snippet, snippet) }
|
||||||
users
|
|
||||||
when Snippet::PRIVATE
|
|
||||||
users.include?(snippet.author) ? [snippet.author] : []
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -38,22 +23,13 @@ class Ability
|
||||||
# issues - The issues to reduce down to those readable by the user.
|
# issues - The issues to reduce down to those readable by the user.
|
||||||
# user - The User for which to check the issues
|
# user - The User for which to check the issues
|
||||||
def issues_readable_by_user(issues, user = nil)
|
def issues_readable_by_user(issues, user = nil)
|
||||||
return issues if user && user.admin?
|
DeclarativePolicy.user_scope do
|
||||||
|
issues.select { |issue| issue.visible_to_user?(user) }
|
||||||
issues.select { |issue| issue.visible_to_user?(user) }
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# TODO: make this private and use the actual abilities stuff for this
|
|
||||||
def can_edit_note?(user, note)
|
def can_edit_note?(user, note)
|
||||||
return false if !note.editable? || !user.present?
|
allowed?(user, :edit_note, note)
|
||||||
return true if note.author == user || user.admin?
|
|
||||||
|
|
||||||
if note.project
|
|
||||||
max_access_level = note.project.team.max_member_access(user.id)
|
|
||||||
max_access_level >= Gitlab::Access::MASTER
|
|
||||||
else
|
|
||||||
false
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def allowed?(user, action, subject = :global, opts = {})
|
def allowed?(user, action, subject = :global, opts = {})
|
||||||
|
|
Loading…
Reference in New Issue