gitlab-org--gitlab-foss/app/policies/todo_policy.rb

14 lines
381 B
Ruby

# frozen_string_literal: true
class TodoPolicy < BasePolicy
desc 'User can only read own todos'
condition(:own_todo) do
@user && @subject.user_id == @user.id
end
condition(:can_read_target) do
@user && @subject.target&.readable_by?(@user)
end
rule { own_todo & can_read_target }.enable :read_todo
rule { own_todo & can_read_target }.enable :update_todo
end