port runners, namespaces, group/project_members

5019185e · http://jneen.net/ · 29059c2e · 5019185e · 5019185e · 5019185e
Commit 5019185e authored Aug 18, 2016 by http://jneen.net/
4 changed files
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -73,12 +73,8 @@ class Ability

    def abilities_by_subject_class(user:, subject:)
      case subject
-      when Namespace then namespace_abilities(user, subject)
-      when GroupMember then group_member_abilities(user, subject)
-      when ProjectMember then project_member_abilities(user, subject)
      when User then user_abilities
      when ExternalIssue, Deployment, Environment then project_abilities(user, subject.project)
-      when Ci::Runner then runner_abilities(user, subject)
      else []
      end + global_abilities(user)
    end
@@ -112,48 +108,6 @@ class Ability
      ProjectPolicy.abilities(user, project).to_a
    end

-    def can_read_group?(user, group)
-      return true if user.admin?
-      return true if group.public?
-      return true if group.internal? && !user.external?
-      return true if group.users.include?(user)
-
-      GroupProjectsFinder.new(group).execute(user).any?
-    end
-
-    def namespace_abilities(user, namespace)
-      rules = []
-
-      # Only namespace owner and administrators can admin it
-      if namespace.owner == user || user.admin?
-        rules += [
-          :create_projects,
-          :admin_namespace
-        ]
-      end
-
-      rules.flatten
-    end
-
-    def group_member_abilities(user, subject)
-      rules = []
-      target_user = subject.user
-      group = subject.group
-
-      unless group.last_owner?(target_user)
-        can_manage = allowed?(user, :admin_group_member, group)
-
-        if can_manage
-          rules << :update_group_member
-          rules << :destroy_group_member
-        elsif user == target_user
-          rules << :destroy_group_member
-        end
-      end
-
-      rules
-    end
-
    def project_member_abilities(user, subject)
      rules = []
      target_user = subject.user
@@ -182,18 +136,6 @@ class Ability
      rules
    end

-    def runner_abilities(user, runner)
-      if user.is_admin?
-        [:assign_runner]
-      elsif runner.is_shared? || runner.locked?
-        []
-      elsif user.ci_authorized_runners.include?(runner)
-        [:assign_runner]
-      else
-        []
-      end
-    end
-
    def user_abilities
      [:read_user]
    end

--- a/app/policies/ci/runner_policy.rb
+++ b/app/policies/ci/runner_policy.rb
+module Ci
+  class RunnerPolicy < BasePolicy
+    def rules
+      return unless @user
+
+      can! :assign_runner if @user.is_admin?
+
+      return if @subject.is_shared? || @subject.locked?
+
+      can! :assign_runner if @user.ci_authorized_runners.include?(@subject)
+    end
+  end
+end
--- a/app/policies/group_member_policy.rb
+++ b/app/policies/group_member_policy.rb
+class GroupMemberPolicy < BasePolicy
+  def rules
+    return unless @user
+
+    target_user = @subject.user
+    group = @subject.group
+
+    return if group.last_owner?(target_user)
+
+    can_manage = Ability.allowed?(@user, :admin_group_member, group)
+
+    if can_manage
+      can! :update_group_member
+      can! :destroy_group_member
+    elsif @user == target_user
+      can! :destroy_group_member
+    end
+  end
+end
--- a/app/policies/namespace_policy.rb
+++ b/app/policies/namespace_policy.rb
+class NamespacePolicy < BasePolicy
+  def rules
+    return unless @user
+
+    if @subject.owner == @user || @user.admin?
+      can! :create_projects
+      can! :admin_namespace
+    end
+  end
+end