Introduce PolicyCheckable for checking policies

02732e85 · Lin Jen-Shin · 8f693d3c · 02732e85 · 02732e85 · 02732e85
Commit 02732e85 authored Jul 24, 2018 by Lin Jen-Shin
6 changed files
--- a/app/models/deploy_token.rb
+++ b/app/models/deploy_token.rb
 class DeployToken < ActiveRecord::Base
  include Expirable
  include TokenAuthenticatable
+  include PolicyCheckable
  add_authentication_token_field :token

-  prepend EE::DeployToken
-
  AVAILABLE_SCOPES = %i(read_repository read_registry).freeze
  GITLAB_DEPLOY_TOKEN_NAME = 'gitlab-deploy-token'.freeze

@@ -60,10 +59,6 @@ class DeployToken < ActiveRecord::Base
    write_attribute(:expires_at, value.presence || Forever.date)
  end

-  def admin?
-    false
-  end
-
  private

  def ensure_at_least_one_scope

--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -22,14 +22,4 @@ class BasePolicy < DeclarativePolicy::Base

  # This is prevented in some cases in `gitlab-ee`
  rule { default }.enable :read_cross_project
-
-  # EE Extensions
-  with_scope :user
-  condition(:auditor, score: 0) { @user&.auditor? }
-
-  with_scope :user
-  condition(:support_bot, score: 0) { @user&.support_bot? }
-
-  with_scope :global
-  condition(:license_block) { License.block_changes? }
 end
--- a/app/policies/concerns/policy_checkable.rb
+++ b/app/policies/concerns/policy_checkable.rb
+# frozen_string_literal: true
+
+# Include this module if we want to pass something else than the user to
+# check policies. This defines several methods which the policy checker
+# would call and check.
+module PolicyCheckable
+  extend ActiveSupport::Concern
+
+  prepend EE::PolicyCheckable
+
+  def blocked?
+    false
+  end
+
+  def admin?
+    false
+  end
+
+  def external?
+    false
+  end
+
+  def internal?
+    false
+  end
+
+  def access_locked?
+    false
+  end
+
+  def required_terms_not_accepted?
+    false
+  end
+
+  def can_create_group
+    false
+  end
+end
--- a/config/application.rb
+++ b/config/application.rb
@@ -45,6 +45,7 @@ module Gitlab
                                     #{config.root}/app/models/members
                                     #{config.root}/app/models/project_services
                                     #{config.root}/app/workers/concerns
+                                     #{config.root}/app/policies/concerns
                                     #{config.root}/app/services/concerns
                                     #{config.root}/app/serializers/concerns
                                     #{config.root}/app/finders/concerns

--- a/ee/app/policies/ee/base_policy.rb
+++ b/ee/app/policies/ee/base_policy.rb
@@ -10,6 +10,15 @@ module EE
      rule { external_authorization_enabled & ~admin & ~auditor }.policy do
        prevent :read_cross_project
      end
+
+      with_scope :user
+      condition(:auditor, score: 0) { @user&.auditor? }
+
+      with_scope :user
+      condition(:support_bot, score: 0) { @user&.support_bot? }
+
+      with_scope :global
+      condition(:license_block) { License.block_changes? }
    end
  end
 end
--- a/ee/app/models/ee/deploy_token.rb
+++ b/ee/app/models/ee/deploy_token.rb
+# frozen_string_literal: true
+
 module EE
-  module DeployToken
+  module PolicyCheckable
    def auditor?
      false
    end