Block EE-specific write abilities when project is archived

4074283d · Douwe Maan · Bob Van Landuyt · 036af7d1 · 4074283d · 4074283d
Commit 4074283d authored Apr 05, 2018 by Douwe Maan Committed by Bob Van Landuyt Apr 10, 2018
3 changed files
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
 class ProjectPolicy < BasePolicy
+  def self.create_read_update_admin_destroy(name)
+    [
+      :"read_#{name}",
+      *create_update_admin_destroy(name)
+    ]
+  end
+
+  def self.create_update_admin_destroy(name)
+    [
+      :"create_#{name}",
+      :"update_#{name}",
+      :"admin_#{name}",
+      :"destroy_#{name}"
+    ]
+  end
+
  prepend EE::ProjectPolicy

  READONLY_FEATURES_WHEN_ARCHIVED = %i[
@@ -22,22 +38,6 @@ class ProjectPolicy < BasePolicy
    cluster
  ].freeze

-  def self.create_read_update_admin_destroy(name)
-    [
-      :"read_#{name}",
-      *create_update_admin_destroy(name)
-    ]
-  end
-
-  def self.create_update_admin_destroy(name)
-    [
-      :"create_#{name}",
-      :"update_#{name}",
-      :"admin_#{name}",
-      :"destroy_#{name}"
-    ]
-  end
-
  desc "User is a project owner"
  condition :owner do
    (project.owner.present? && project.owner == @user) ||

--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -2,6 +2,12 @@ module EE
  module ProjectPolicy
    extend ActiveSupport::Concern

+    READONLY_FEATURES_WHEN_ARCHIVED = %i[
+      board
+      issue_link
+      approvers
+    ].freeze
+
    prepended do
      with_scope :subject
      condition(:service_desk_enabled) { @subject.service_desk_enabled? }
@@ -125,6 +131,12 @@ module EE
        prevent :master_access
        prevent :owner_access
      end
+
+      rule { archived }.policy do
+        READONLY_FEATURES_WHEN_ARCHIVED.each do |feature|
+          prevent(*::ProjectPolicy.create_update_admin_destroy(feature))
+        end
+      end
    end
  end
 end
--- a/spec/policies/project_policy_spec.rb
+++ b/spec/policies/project_policy_spec.rb
@@ -140,7 +140,7 @@ describe ProjectPolicy do
    let(:feature_write_abilities) do
      described_class::READONLY_FEATURES_WHEN_ARCHIVED.flat_map do |feature|
        described_class.create_update_admin_destroy(feature)
-      end
+      end + additional_reporter_permissions + additional_master_permissions
    end

    let(:other_write_abilities) do