Commit b90f1098 authored by Toon Claes's avatar Toon Claes

Add User#full_private_access? to check if user has Private access

In CE only the admin has access to all private groups & projects. In EE also an
auditor can have full private access.

To overcome merge conflicts, or accidental incorrect access rights, abstract
this out in `User#full_private_access?`.

`User#admin?` now only should be used for admin-only features. For private
access-related features `User#full_private_access?` should be used.

Backported from gitlab-org/gitlab-ee!2199
parent f09aa6b7
...@@ -41,7 +41,7 @@ class IssuesFinder < IssuableFinder ...@@ -41,7 +41,7 @@ class IssuesFinder < IssuableFinder
def self.not_restricted_by_confidentiality(user) def self.not_restricted_by_confidentiality(user)
return Issue.where('issues.confidential IS NOT TRUE') if user.blank? return Issue.where('issues.confidential IS NOT TRUE') if user.blank?
return Issue.all if user.admin? return Issue.all if user.full_private_access?
Issue.where(' Issue.where('
issues.confidential IS NOT TRUE issues.confidential IS NOT TRUE
......
...@@ -90,7 +90,7 @@ class ProjectFeature < ActiveRecord::Base ...@@ -90,7 +90,7 @@ class ProjectFeature < ActiveRecord::Base
when DISABLED when DISABLED
false false
when PRIVATE when PRIVATE
user && (project.team.member?(user) || user.admin?) user && (project.team.member?(user) || user.full_private_access?)
when ENABLED when ENABLED
true true
else else
......
...@@ -984,6 +984,12 @@ class User < ActiveRecord::Base ...@@ -984,6 +984,12 @@ class User < ActiveRecord::Base
self.admin = (new_level == 'admin') self.admin = (new_level == 'admin')
end end
# Does the user have access to all private groups & projects?
# Overridden in EE to also check auditor?
def full_private_access?
admin?
end
def update_two_factor_requirement def update_two_factor_requirement
periods = expanded_groups_requiring_two_factor_authentication.pluck(:two_factor_grace_period) periods = expanded_groups_requiring_two_factor_authentication.pluck(:two_factor_grace_period)
......
---
title: Add User#full_private_access? to check if user has access to all private groups & projects
merge_request: 12373
author:
...@@ -28,7 +28,7 @@ module Gitlab ...@@ -28,7 +28,7 @@ module Gitlab
def levels_for_user(user = nil) def levels_for_user(user = nil)
return [PUBLIC] unless user return [PUBLIC] unless user
if user.admin? if user.full_private_access?
[PRIVATE, INTERNAL, PUBLIC] [PRIVATE, INTERNAL, PUBLIC]
elsif user.external? elsif user.external?
[PUBLIC] [PUBLIC]
......
...@@ -21,7 +21,7 @@ describe Gitlab::VisibilityLevel, lib: true do ...@@ -21,7 +21,7 @@ describe Gitlab::VisibilityLevel, lib: true do
describe '.levels_for_user' do describe '.levels_for_user' do
it 'returns all levels for an admin' do it 'returns all levels for an admin' do
user = double(:user, admin?: true) user = build(:user, :admin)
expect(described_class.levels_for_user(user)) expect(described_class.levels_for_user(user))
.to eq([Gitlab::VisibilityLevel::PRIVATE, .to eq([Gitlab::VisibilityLevel::PRIVATE,
...@@ -30,7 +30,7 @@ describe Gitlab::VisibilityLevel, lib: true do ...@@ -30,7 +30,7 @@ describe Gitlab::VisibilityLevel, lib: true do
end end
it 'returns INTERNAL and PUBLIC for internal users' do it 'returns INTERNAL and PUBLIC for internal users' do
user = double(:user, admin?: false, external?: false) user = build(:user)
expect(described_class.levels_for_user(user)) expect(described_class.levels_for_user(user))
.to eq([Gitlab::VisibilityLevel::INTERNAL, .to eq([Gitlab::VisibilityLevel::INTERNAL,
...@@ -38,7 +38,7 @@ describe Gitlab::VisibilityLevel, lib: true do ...@@ -38,7 +38,7 @@ describe Gitlab::VisibilityLevel, lib: true do
end end
it 'returns PUBLIC for external users' do it 'returns PUBLIC for external users' do
user = double(:user, admin?: false, external?: true) user = build(:user, :external)
expect(described_class.levels_for_user(user)) expect(described_class.levels_for_user(user))
.to eq([Gitlab::VisibilityLevel::PUBLIC]) .to eq([Gitlab::VisibilityLevel::PUBLIC])
......
...@@ -1733,6 +1733,20 @@ describe User, models: true do ...@@ -1733,6 +1733,20 @@ describe User, models: true do
end end
end end
describe '#full_private_access?' do
it 'returns false for regular user' do
user = build(:user)
expect(user.full_private_access?).to be_falsy
end
it 'returns true for admin user' do
user = build(:user, :admin)
expect(user.full_private_access?).to be_truthy
end
end
describe '.ghost' do describe '.ghost' do
it "creates a ghost user if one isn't already present" do it "creates a ghost user if one isn't already present" do
ghost = User.ghost ghost = User.ghost
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment