Commit 846e5817 authored by http://jneen.net/'s avatar http://jneen.net/

use a magic default :global symbol instead of nil

to make sure we mean the global permissions
parent 130fd255
...@@ -90,7 +90,7 @@ class ApplicationController < ActionController::Base ...@@ -90,7 +90,7 @@ class ApplicationController < ActionController::Base
current_application_settings.after_sign_out_path.presence || new_user_session_path current_application_settings.after_sign_out_path.presence || new_user_session_path
end end
def can?(object, action, subject) def can?(object, action, subject = :global)
Ability.allowed?(object, action, subject) Ability.allowed?(object, action, subject)
end end
......
...@@ -118,7 +118,7 @@ class GroupsController < Groups::ApplicationController ...@@ -118,7 +118,7 @@ class GroupsController < Groups::ApplicationController
end end
def authorize_create_group! def authorize_create_group!
unless can?(current_user, :create_group, nil) unless can?(current_user, :create_group)
return render_404 return render_404
end end
end end
......
...@@ -56,15 +56,16 @@ class Ability ...@@ -56,15 +56,16 @@ class Ability
end end
end end
def allowed?(user, action, subject) def allowed?(user, action, subject = :global)
allowed(user, subject).include?(action) allowed(user, subject).include?(action)
end end
def allowed(user, subject) def allowed(user, subject = :global)
return BasePolicy::RuleSet.none if subject.nil?
return uncached_allowed(user, subject) unless RequestStore.active? return uncached_allowed(user, subject) unless RequestStore.active?
user_key = user ? user.id : 'anonymous' user_key = user ? user.id : 'anonymous'
subject_key = subject ? "#{subject.class.name}/#{subject.id}" : 'global' subject_key = subject == :global ? 'global' : "#{subject.class.name}/#{subject.id}"
key = "/ability/#{user_key}/#{subject_key}" key = "/ability/#{user_key}/#{subject_key}"
RequestStore[key] ||= uncached_allowed(user, subject).freeze RequestStore[key] ||= uncached_allowed(user, subject).freeze
end end
......
class Guest class Guest
class << self class << self
def can?(action, subject) def can?(action, subject = :global)
Ability.allowed?(nil, action, subject) Ability.allowed?(nil, action, subject)
end end
end end
......
...@@ -563,14 +563,14 @@ class User < ActiveRecord::Base ...@@ -563,14 +563,14 @@ class User < ActiveRecord::Base
end end
def can_create_group? def can_create_group?
can?(:create_group, nil) can?(:create_group)
end end
def can_select_namespace? def can_select_namespace?
several_namespaces? || admin several_namespaces? || admin
end end
def can?(action, subject) def can?(action, subject = :global)
Ability.allowed?(self, action, subject) Ability.allowed?(self, action, subject)
end end
......
...@@ -12,6 +12,10 @@ class BasePolicy ...@@ -12,6 +12,10 @@ class BasePolicy
new(Set.new, Set.new) new(Set.new, Set.new)
end end
def self.none
empty.freeze
end
def can?(ability) def can?(ability)
@can_set.include?(ability) && !@cannot_set.include?(ability) @can_set.include?(ability) && !@cannot_set.include?(ability)
end end
...@@ -49,7 +53,8 @@ class BasePolicy ...@@ -49,7 +53,8 @@ class BasePolicy
end end
def self.class_for(subject) def self.class_for(subject)
return GlobalPolicy if subject.nil? return GlobalPolicy if subject == :global
raise ArgumentError, 'no policy for nil' if subject.nil?
if subject.class.try(:presenter?) if subject.class.try(:presenter?)
subject = subject.subject subject = subject.subject
...@@ -79,7 +84,7 @@ class BasePolicy ...@@ -79,7 +84,7 @@ class BasePolicy
end end
def abilities def abilities
return RuleSet.empty if @user && @user.blocked? return RuleSet.none if @user && @user.blocked?
return anonymous_abilities if @user.nil? return anonymous_abilities if @user.nil?
collect_rules { rules } collect_rules { rules }
end end
......
...@@ -116,7 +116,7 @@ module API ...@@ -116,7 +116,7 @@ module API
forbidden! unless current_user.is_admin? forbidden! unless current_user.is_admin?
end end
def authorize!(action, subject = nil) def authorize!(action, subject = :global)
forbidden! unless can?(current_user, action, subject) forbidden! unless can?(current_user, action, subject)
end end
...@@ -134,7 +134,7 @@ module API ...@@ -134,7 +134,7 @@ module API
end end
end end
def can?(object, action, subject) def can?(object, action, subject = :global)
Ability.allowed?(object, action, subject) Ability.allowed?(object, action, subject)
end end
......
...@@ -45,7 +45,7 @@ module API ...@@ -45,7 +45,7 @@ module API
use :pagination use :pagination
end end
get do get do
unless can?(current_user, :read_users_list, nil) unless can?(current_user, :read_users_list)
render_api_error!("Not authorized.", 403) render_api_error!("Not authorized.", 403)
end end
......
...@@ -210,7 +210,7 @@ module Banzai ...@@ -210,7 +210,7 @@ module Banzai
grouped_objects_for_nodes(nodes, Project, 'data-project') grouped_objects_for_nodes(nodes, Project, 'data-project')
end end
def can?(user, permission, subject) def can?(user, permission, subject = :global)
Ability.allowed?(user, permission, subject) Ability.allowed?(user, permission, subject)
end end
......
module Gitlab module Gitlab
module Allowable module Allowable
def can?(user, action, subject) def can?(user, action, subject = :global)
Ability.allowed?(user, action, subject) Ability.allowed?(user, action, subject)
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment