5db229fb45
Previously, only group masters could do this. However, project reporters can manage project labels, so there doesn't seem to be any need to restrict group labels further. Also, save a query or two by getting a single GroupMember object to find out if the user is a master or not.
50 lines
1.5 KiB
Ruby
50 lines
1.5 KiB
Ruby
class GroupPolicy < BasePolicy
|
|
def rules
|
|
can! :read_group if @subject.public?
|
|
return unless @user
|
|
|
|
globally_viewable = @subject.public? || (@subject.internal? && !@user.external?)
|
|
access_level = @subject.max_member_access_for_user(@user)
|
|
owner = access_level >= GroupMember::OWNER
|
|
master = access_level >= GroupMember::MASTER
|
|
reporter = access_level >= GroupMember::REPORTER
|
|
|
|
can_read = false
|
|
can_read ||= globally_viewable
|
|
can_read ||= access_level >= GroupMember::GUEST
|
|
can_read ||= GroupProjectsFinder.new(group: @subject, current_user: @user).execute.any?
|
|
can! :read_group if can_read
|
|
|
|
if reporter
|
|
can! :admin_label
|
|
end
|
|
|
|
# Only group masters and group owners can create new projects
|
|
if master
|
|
can! :create_projects
|
|
can! :admin_milestones
|
|
end
|
|
|
|
# Only group owner and administrators can admin group
|
|
if owner
|
|
can! :admin_group
|
|
can! :admin_namespace
|
|
can! :admin_group_member
|
|
can! :change_visibility_level
|
|
can! :create_subgroup if @user.can_create_group
|
|
end
|
|
|
|
if globally_viewable && @subject.request_access_enabled && access_level == GroupMember::NO_ACCESS
|
|
can! :request_access
|
|
end
|
|
end
|
|
|
|
def can_read_group?
|
|
return true if @subject.public?
|
|
return true if @user.admin?
|
|
return true if @subject.internal? && !@user.external?
|
|
return true if @subject.users.include?(@user)
|
|
|
|
GroupProjectsFinder.new(group: @subject, current_user: @user).execute.any?
|
|
end
|
|
end
|