Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
ccfa032e
Commit
ccfa032e
authored
Aug 16, 2016
by
http://jneen.net/
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
port groups
parent
4016c535
Changes
2
Show whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
48 additions
and
36 deletions
+48
-36
app/models/ability.rb
app/models/ability.rb
+3
-36
app/policies/group_policy.rb
app/policies/group_policy.rb
+45
-0
No files found.
app/models/ability.rb
View file @
ccfa032e
...
@@ -73,7 +73,6 @@ class Ability
...
@@ -73,7 +73,6 @@ class Ability
def
abilities_by_subject_class
(
user
:,
subject
:)
def
abilities_by_subject_class
(
user
:,
subject
:)
case
subject
case
subject
when
Group
then
group_abilities
(
user
,
subject
)
when
Namespace
then
namespace_abilities
(
user
,
subject
)
when
Namespace
then
namespace_abilities
(
user
,
subject
)
when
GroupMember
then
group_member_abilities
(
user
,
subject
)
when
GroupMember
then
group_member_abilities
(
user
,
subject
)
when
ProjectMember
then
project_member_abilities
(
user
,
subject
)
when
ProjectMember
then
project_member_abilities
(
user
,
subject
)
...
@@ -88,8 +87,8 @@ class Ability
...
@@ -88,8 +87,8 @@ class Ability
def
anonymous_abilities
(
subject
)
def
anonymous_abilities
(
subject
)
if
subject
.
respond_to?
(
:project
)
if
subject
.
respond_to?
(
:project
)
ProjectPolicy
.
abilities
(
nil
,
subject
.
project
)
ProjectPolicy
.
abilities
(
nil
,
subject
.
project
)
elsif
subject
.
is_a?
(
Group
)
||
subject
.
respond_to?
(
:group
)
elsif
subject
.
respond_to?
(
:group
)
anonymous_group_abilities
(
subject
)
GroupPolicy
.
abilities
(
nil
,
subject
.
group
)
elsif
subject
.
is_a?
(
User
)
elsif
subject
.
is_a?
(
User
)
anonymous_user_abilities
anonymous_user_abilities
else
else
...
@@ -164,38 +163,6 @@ class Ability
...
@@ -164,38 +163,6 @@ class Ability
ProjectPolicy
.
abilities
(
user
,
project
).
to_a
ProjectPolicy
.
abilities
(
user
,
project
).
to_a
end
end
def
group_abilities
(
user
,
group
)
rules
=
[]
rules
<<
:read_group
if
can_read_group?
(
user
,
group
)
owner
=
user
.
admin?
||
group
.
has_owner?
(
user
)
master
=
owner
||
group
.
has_master?
(
user
)
# Only group masters and group owners can create new projects
if
master
rules
+=
[
:create_projects
,
:admin_milestones
]
end
# Only group owner and administrators can admin group
if
owner
rules
+=
[
:admin_group
,
:admin_namespace
,
:admin_group_member
,
:change_visibility_level
]
end
if
group
.
public?
||
(
group
.
internal?
&&
!
user
.
external?
)
rules
<<
:request_access
if
group
.
request_access_enabled
&&
group
.
users
.
exclude?
(
user
)
end
rules
.
flatten
end
def
can_read_group?
(
user
,
group
)
def
can_read_group?
(
user
,
group
)
return
true
if
user
.
admin?
return
true
if
user
.
admin?
return
true
if
group
.
public?
return
true
if
group
.
public?
...
@@ -225,7 +192,7 @@ class Ability
...
@@ -225,7 +192,7 @@ class Ability
group
=
subject
.
group
group
=
subject
.
group
unless
group
.
last_owner?
(
target_user
)
unless
group
.
last_owner?
(
target_user
)
can_manage
=
group_abilities
(
user
,
group
).
include?
(
:admin_group_member
)
can_manage
=
allowed?
(
user
,
:admin_group_member
,
group
)
if
can_manage
if
can_manage
rules
<<
:update_group_member
rules
<<
:update_group_member
...
...
app/policies/group_policy.rb
0 → 100644
View file @
ccfa032e
class
GroupPolicy
<
BasePolicy
def
rules
can!
:read_group
if
@subject
.
public?
return
unless
@user
globally_viewable
=
@subject
.
public?
||
(
@subject
.
internal?
&&
!
@user
.
external?
)
member
=
@subject
.
users
.
include?
(
@user
)
owner
=
@user
.
admin?
||
@subject
.
has_owner?
(
@user
)
master
=
owner
||
@subject
.
has_master?
(
@user
)
can_read
=
false
can_read
||=
globally_viewable
can_read
||=
member
can_read
||=
@user
.
admin?
can_read
||=
GroupProjectsFinder
.
new
(
@subject
).
execute
(
@user
).
any?
can!
:read_group
if
can_read
# Only group masters and group owners can create new projects
if
master
can!
:create_projects
can!
:admin_milestones
end
# Only group owner and administrators can admin group
if
owner
can!
:admin_group
can!
:admin_namespace
can!
:admin_group_member
can!
:change_visibility_level
end
if
globally_viewable
&&
@subject
.
request_access_enabled
&&
!
member
can!
:request_access
end
end
def
can_read_group?
return
true
if
@subject
.
public?
return
true
if
@user
.
admin?
return
true
if
@subject
.
internal?
&&
!
@user
.
external?
return
true
if
@subject
.
users
.
include?
(
@user
)
GroupProjectsFinder
.
new
(
@subject
).
execute
(
@user
).
any?
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment