Merge branch '212566-foss-design-management-policies' into 'master'

Move Design Management policies to FOSS See merge request gitlab-org/gitlab!29995

Merge branch '212566-foss-design-management-policies' into 'master'
Move Design Management policies to FOSS See merge request gitlab-org/gitlab!29995
ac850c9a · Jan Provaznik · 5d191707 · 632ee3a6 · ac850c9a · ac850c9a
Commit ac850c9a authored May 04, 2020 by Jan Provaznik
9 changed files
--- a/ee/app/policies/design_management/design_at_version_policy.rb
+++ b/ee/app/policies/design_management/design_at_version_policy.rb
--- a/ee/app/policies/design_management/design_collection_policy.rb
+++ b/ee/app/policies/design_management/design_collection_policy.rb
--- a/ee/app/policies/design_management/design_policy.rb
+++ b/ee/app/policies/design_management/design_policy.rb
--- a/ee/app/policies/design_management/version_policy.rb
+++ b/ee/app/policies/design_management/version_policy.rb
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -15,6 +15,9 @@ class IssuePolicy < IssuablePolicy
  desc "Issue is confidential"
  condition(:confidential, scope: :subject) { @subject.confidential? }

+  desc "Issue has moved"
+  condition(:moved) { @subject.moved? }
+
  rule { confidential & ~can_read_confidential }.policy do
    prevent(*create_read_update_admin_destroy(:issue))
    prevent :read_issue_iid
@@ -25,6 +28,15 @@ class IssuePolicy < IssuablePolicy
  rule { locked }.policy do
    prevent :reopen_issue
  end
-end

-IssuePolicy.prepend_if_ee('::EE::IssuePolicy')
+  rule { ~can?(:read_issue) }.policy do
+    prevent :read_design
+    prevent :create_design
+    prevent :destroy_design
+  end
+
+  rule { locked | moved }.policy do
+    prevent :create_design
+    prevent :destroy_design
+  end
+end
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -11,6 +11,7 @@ class ProjectPolicy < BasePolicy
    milestone
    snippet
    wiki
+    design
    note
    pipeline
    pipeline_schedule
@@ -107,6 +108,11 @@ class ProjectPolicy < BasePolicy
    )
  end

+  with_scope :subject
+  condition(:design_management_disabled) do
+    !@subject.design_management_enabled?
+  end
+
  # We aren't checking `:read_issue` or `:read_merge_request` in this case
  # because it could be possible for a user to see an issuable-iid
  # (`:read_issue_iid` or `:read_merge_request_iid`) but then wouldn't be
@@ -299,6 +305,8 @@ class ProjectPolicy < BasePolicy
    enable :create_metrics_dashboard_annotation
    enable :delete_metrics_dashboard_annotation
    enable :update_metrics_dashboard_annotation
+    enable :create_design
+    enable :destroy_design
  end

  rule { can?(:developer_access) & user_confirmed? }.policy do
@@ -511,6 +519,17 @@ class ProjectPolicy < BasePolicy

  rule { admin }.enable :change_repository_storage

+  rule { can?(:read_issue) }.policy do
+    enable :read_design
+  end
+
+  # Design abilities could also be prevented in the issue policy.
+  rule { design_management_disabled }.policy do
+    prevent :read_design
+    prevent :create_design
+    prevent :destroy_design
+  end
+
  private

  def team_member?

--- a/ee/app/policies/ee/issue_policy.rb
+++ b/ee/app/policies/ee/issue_policy.rb
-# frozen_string_literal: true
-
-module EE
-  module IssuePolicy
-    extend ActiveSupport::Concern
-    prepended do
-      condition(:moved) { @subject.moved? }
-
-      rule { ~can?(:read_issue) }.policy do
-        prevent :read_design
-        prevent :create_design
-        prevent :destroy_design
-      end
-
-      rule { locked | moved }.policy do
-        prevent :create_design
-        prevent :destroy_design
-      end
-    end
-  end
-end
--- a/ee/app/policies/ee/project_policy.rb
+++ b/ee/app/policies/ee/project_policy.rb
@@ -14,7 +14,6 @@ module EE
      license_management
      feature_flag
      feature_flags_client
-      design
    ].freeze

    prepended do
@@ -112,11 +111,6 @@ module EE
        !@subject.feature_available?(:feature_flags)
      end

-      with_scope :subject
-      condition(:design_management_disabled) do
-        !@subject.design_management_enabled?
-      end
-
      with_scope :subject
      condition(:code_review_analytics_enabled) do
        @subject.feature_available?(:code_review_analytics, @user)
@@ -157,7 +151,6 @@ module EE

      rule { can?(:read_issue) }.policy do
        enable :read_issue_link
-        enable :read_design
      end

      rule { can?(:reporter_access) }.policy do
@@ -182,8 +175,6 @@ module EE
        enable :destroy_feature_flag
        enable :admin_feature_flag
        enable :admin_feature_flags_user_lists
-        enable :create_design
-        enable :destroy_design
      end

      rule { can?(:public_access) }.enable :read_package
@@ -345,14 +336,6 @@ module EE

      rule { web_ide_terminal_available & can?(:create_pipeline) & can?(:maintainer_access) }.enable :create_web_ide_terminal

-      # Design abilities could also be prevented in the issue policy.
-      # If the user cannot read the issue, then they cannot see the designs.
-      rule { design_management_disabled }.policy do
-        prevent :read_design
-        prevent :create_design
-        prevent :destroy_design
-      end
-
      rule { build_service_proxy_enabled }.enable :build_service_proxy_enabled

      rule { can?(:read_merge_request) & code_review_analytics_enabled }.enable :read_code_review_analytics

--- a/ee/spec/policies/design_management/design_policy_spec.rb
+++ b/ee/spec/policies/design_management/design_policy_spec.rb