Allow an auditor user to access all projects / groups

In addition, allow an auditor read-only permissions within a project. Collect all the permissions that an auditor is supposed to have in the `auditor_access` method. This _could_ be automated by dynamically listing all permissions that start with `read_`, but this is cleaner / more readable, especially since it's confined to this one location.

Allow an auditor user to access all projects / groups
In addition, allow an auditor read-only permissions within a project. Collect all the permissions that an auditor is supposed to have in the `auditor_access` method. This _could_ be automated by dynamically listing all permissions that start with `read_`, but this is cleaner / more readable, especially since it's confined to this one location.
d475c369 · Timothy Andrew · b9c36d6c · d475c369 · d475c369 · d475c369
Commit d475c369 authored Jan 20, 2017 by Timothy Andrew
10 changed files
--- a/app/finders/group_projects_finder.rb
+++ b/app/finders/group_projects_finder.rb
@@ -18,7 +18,7 @@ class GroupProjectsFinder < UnionFinder
    projects = []

    if current_user
-      if @group.users.include?(current_user) || current_user.admin?
+      if @group.users.include?(current_user) || current_user.admin? || current_user.auditor?
        projects << @group.projects unless only_shared
        projects << @group.shared_projects unless only_owned
      else

--- a/app/finders/issues_finder.rb
+++ b/app/finders/issues_finder.rb
@@ -33,7 +33,7 @@ class IssuesFinder < IssuableFinder
  def self.not_restricted_by_confidentiality(user)
    return Issue.where('issues.confidential IS NULL OR issues.confidential IS FALSE') if user.blank?

-    return Issue.all if user.admin?
+    return Issue.all if user.admin? || user.auditor?

    Issue.where('
      issues.confidential IS NULL

--- a/app/finders/snippets_finder.rb
+++ b/app/finders/snippets_finder.rb
@@ -44,7 +44,7 @@ class SnippetsFinder
    snippets = project.snippets.fresh

    if current_user
-      include_private = project.team.member?(current_user) || current_user.admin?
+      include_private = project.team.member?(current_user) || current_user.admin? || current_user.auditor?
      by_scope(snippets, scope, include_private)
    else
      snippets.are_public

--- a/app/models/project_feature.rb
+++ b/app/models/project_feature.rb
@@ -83,7 +83,7 @@ class ProjectFeature < ActiveRecord::Base
    when DISABLED
      false
    when PRIVATE
-      user && (project.team.member?(user) || user.admin?)
+      user && (project.team.member?(user) || user.admin? || user.auditor?)
    when ENABLED
      true
    else

--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -2,7 +2,7 @@ class GlobalPolicy < BasePolicy
  def rules
    return unless @user

-    can! :create_group if @user.can_create_group
+    can! :create_group if @user.can_create_group && !@user.auditor?
    can! :read_users_list
  end
 end
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -12,6 +12,7 @@ class GroupPolicy < BasePolicy
    can_read ||= globally_viewable
    can_read ||= member
    can_read ||= @user.admin?
+    can_read ||= @user.auditor?
    can_read ||= GroupProjectsFinder.new(@subject).execute(@user).any?
    can! :read_group if can_read

@@ -40,6 +41,7 @@ class GroupPolicy < BasePolicy
  def can_read_group?
    return true if @subject.public?
    return true if @user.admin?
+    return true if @user.auditor?
    return true if @subject.internal? && !@user.external?
    return true if @subject.users.include?(@user)


--- a/app/policies/namespace_policy.rb
+++ b/app/policies/namespace_policy.rb
 class NamespacePolicy < BasePolicy
  def rules
    return unless @user
+    return if @user.auditor?

    if @subject.owner == @user || @user.admin?
      can! :create_projects

--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -8,6 +8,7 @@ class ProjectPolicy < BasePolicy
      (project.group && project.group.has_owner?(user))

    owner_access! if user.admin? || owner
+    auditor_access! if user.auditor?
    team_member_owner_access! if owner

    if project.public? || (project.internal? && !user.external?)
@@ -182,6 +183,37 @@ class ProjectPolicy < BasePolicy
    cannot! :admin_merge_request
  end

+  # An auditor user has read-only access to all projects
+  def auditor_access!
+    can! :download_code
+    can! :download_wiki_code
+    can! :read_project
+    can! :read_board
+    can! :read_list
+    can! :read_wiki
+    can! :read_issue
+    can! :read_label
+    can! :read_milestone
+    can! :read_project_snippet
+    can! :read_project_member
+    can! :read_note
+    can! :read_cycle_analytics
+    can! :read_pipeline
+    can! :read_build
+    can! :read_commit_status
+    can! :read_build
+    can! :read_container_image
+    can! :read_pipeline
+    can! :read_environment
+    can! :read_deployment
+    can! :read_merge_request
+    can! :read_pages
+    can! :read_commit_status
+    can! :read_pipeline
+    can! :read_container_image
+    can! :read_merge_request
+  end
+
  def disabled_features!
    repository_enabled = project.feature_available?(:repository, user)


--- a/app/policies/project_snippet_policy.rb
+++ b/app/policies/project_snippet_policy.rb
@@ -3,12 +3,16 @@ class ProjectSnippetPolicy < BasePolicy
    can! :read_project_snippet if @subject.public?
    return unless @user

-    if @user && @subject.author == @user || @user.admin?
+    if @user && (@subject.author == @user || @user.admin?)
      can! :read_project_snippet
      can! :update_project_snippet
      can! :admin_project_snippet
    end

+    if @user.auditor?
+      can! :read_project_snippet
+    end
+
    if @subject.internal? && !@user.external?
      can! :read_project_snippet
    end

--- a/app/views/projects/notes/_notes_with_form.html.haml
+++ b/app/views/projects/notes/_notes_with_form.html.haml
@@ -13,6 +13,8 @@
          = image_tag avatar_icon(current_user), alt: current_user.to_reference, class: 'avatar s40'
      .timeline-content.timeline-content-form
        = render "projects/notes/form", view: diff_view
+    - elsif current_user.present? && current_user.auditor?
+      -# Display nothing
    - else
      .disabled-comment.text-center
        .disabled-comment-text.inline