Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
1ca9b335
Commit
1ca9b335
authored
Aug 12, 2016
by
http://jneen.net/
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
add support for anonymous abilities
parent
29b1623a
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
67 additions
and
205 deletions
+67
-205
app/models/ability.rb
app/models/ability.rb
+6
-188
app/policies/base_policy.rb
app/policies/base_policy.rb
+22
-4
app/policies/project_policy.rb
app/policies/project_policy.rb
+39
-13
No files found.
app/models/ability.rb
View file @
1ca9b335
...
...
@@ -71,7 +71,7 @@ class Ability
def
abilities_by_subject_class
(
user
:,
subject
:)
case
subject
when
CommitStatus
then
commit_status_abilities
(
user
,
subject
)
when
Project
then
ProjectPolicy
.
new
(
user
,
subject
).
abilities
when
Project
then
ProjectPolicy
.
abilities
(
user
,
subject
)
when
Issue
then
issue_abilities
(
user
,
subject
)
when
Note
then
note_abilities
(
user
,
subject
)
when
ProjectSnippet
then
project_snippet_abilities
(
user
,
subject
)
...
...
@@ -96,8 +96,10 @@ class Ability
anonymous_project_snippet_abilities
(
subject
)
elsif
subject
.
is_a?
(
CommitStatus
)
anonymous_commit_status_abilities
(
subject
)
elsif
subject
.
is_a?
(
Project
)
||
subject
.
respond_to?
(
:project
)
anonymous_project_abilities
(
subject
)
elsif
subject
.
is_a?
(
Project
)
ProjectPolicy
.
abilities
(
nil
,
subject
)
elsif
subject
.
respond_to?
(
:project
)
ProjectPolicy
.
abilities
(
nil
,
subject
.
project
)
elsif
subject
.
is_a?
(
Group
)
||
subject
.
respond_to?
(
:group
)
anonymous_group_abilities
(
subject
)
elsif
subject
.
is_a?
(
User
)
...
...
@@ -194,174 +196,7 @@ class Ability
def
project_abilities
(
user
,
project
)
# temporary patch, deleteme before merge
ProjectPolicy
.
new
(
user
,
project
).
abilities
.
to_a
end
def
project_team_rules
(
team
,
user
)
# Rules based on role in project
if
team
.
master?
(
user
)
project_master_rules
elsif
team
.
developer?
(
user
)
project_dev_rules
elsif
team
.
reporter?
(
user
)
project_report_rules
elsif
team
.
guest?
(
user
)
project_guest_rules
else
[]
end
end
def
public_project_rules
@public_project_rules
||=
project_guest_rules
+
[
:download_code
,
:fork_project
,
:read_commit_status
,
:read_pipeline
,
:read_container_image
]
end
def
project_guest_rules
@project_guest_rules
||=
[
:read_project
,
:read_wiki
,
:read_issue
,
:read_board
,
:read_list
,
:read_label
,
:read_milestone
,
:read_project_snippet
,
:read_project_member
,
:read_merge_request
,
:read_note
,
:create_project
,
:create_issue
,
:create_note
,
:upload_file
]
end
def
project_report_rules
@project_report_rules
||=
project_guest_rules
+
[
:download_code
,
:fork_project
,
:create_project_snippet
,
:update_issue
,
:admin_issue
,
:admin_label
,
:admin_list
,
:read_commit_status
,
:read_build
,
:read_container_image
,
:read_pipeline
,
:read_environment
,
:read_deployment
]
end
def
project_dev_rules
@project_dev_rules
||=
project_report_rules
+
[
:admin_merge_request
,
:update_merge_request
,
:create_commit_status
,
:update_commit_status
,
:create_build
,
:update_build
,
:create_pipeline
,
:update_pipeline
,
:create_merge_request
,
:create_wiki
,
:push_code
,
:resolve_note
,
:create_container_image
,
:update_container_image
,
:create_environment
,
:create_deployment
]
end
def
project_archived_rules
@project_archived_rules
||=
[
:create_merge_request
,
:push_code
,
:push_code_to_protected_branches
,
:update_merge_request
,
:admin_merge_request
]
end
def
project_master_rules
@project_master_rules
||=
project_dev_rules
+
[
:push_code_to_protected_branches
,
:update_project_snippet
,
:update_environment
,
:update_deployment
,
:admin_milestone
,
:admin_project_snippet
,
:admin_project_member
,
:admin_merge_request
,
:admin_note
,
:admin_wiki
,
:admin_project
,
:admin_commit_status
,
:admin_build
,
:admin_container_image
,
:admin_pipeline
,
:admin_environment
,
:admin_deployment
]
end
def
project_owner_rules
@project_owner_rules
||=
project_master_rules
+
[
:change_namespace
,
:change_visibility_level
,
:rename_project
,
:remove_project
,
:archive_project
,
:remove_fork_project
,
:destroy_merge_request
,
:destroy_issue
]
end
def
project_disabled_features_rules
(
project
)
rules
=
[]
unless
project
.
issues_enabled
rules
+=
named_abilities
(
'issue'
)
end
unless
project
.
merge_requests_enabled
rules
+=
named_abilities
(
'merge_request'
)
end
unless
project
.
issues_enabled
or
project
.
merge_requests_enabled
rules
+=
named_abilities
(
'label'
)
rules
+=
named_abilities
(
'milestone'
)
end
unless
project
.
snippets_enabled
rules
+=
named_abilities
(
'project_snippet'
)
end
unless
project
.
has_wiki?
rules
+=
named_abilities
(
'wiki'
)
end
unless
project
.
builds_enabled
rules
+=
named_abilities
(
'build'
)
rules
+=
named_abilities
(
'pipeline'
)
rules
+=
named_abilities
(
'environment'
)
rules
+=
named_abilities
(
'deployment'
)
end
unless
project
.
container_registry_enabled
rules
+=
named_abilities
(
'container_image'
)
end
rules
ProjectPolicy
.
abilities
(
user
,
project
).
to_a
end
def
group_abilities
(
user
,
group
)
...
...
@@ -569,15 +404,6 @@ class Ability
current_application_settings
.
restricted_visibility_levels
.
include?
(
Gitlab
::
VisibilityLevel
::
PUBLIC
)
end
def
named_abilities
(
name
)
[
:"read_
#{
name
}
"
,
:"create_
#{
name
}
"
,
:"update_
#{
name
}
"
,
:"admin_
#{
name
}
"
]
end
def
filter_confidential_issues_abilities
(
user
,
issue
,
rules
)
return
rules
if
user
.
admin?
||
!
issue
.
confidential?
...
...
@@ -589,13 +415,5 @@ class Ability
rules
end
def
project_group_member?
(
project
,
user
)
project
.
group
&&
(
project
.
group
.
members
.
exists?
(
user_id:
user
.
id
)
||
project
.
group
.
requesters
.
exists?
(
user_id:
user
.
id
)
)
end
end
end
app/policies/base_policy.rb
View file @
1ca9b335
class
BasePolicy
def
self
.
abilities
(
user
,
subject
)
new
(
user
,
subject
).
abilities
end
attr_reader
:user
,
:subject
def
initialize
(
user
,
subject
)
@user
=
user
@subject
=
subject
end
def
abilities
@can
=
Set
.
new
@cannot
=
Set
.
new
generate!
@can
-
@cannot
return
anonymous_abilities
if
@user
.
nil?
collect_rules
{
rules
}
end
def
anonymous_abilities
collect_rules
{
anonymous_rules
}
end
def
generate!
...
...
@@ -22,4 +29,15 @@ class BasePolicy
def
cannot!
(
*
rules
)
@cannot
.
merge
(
rules
)
end
private
def
collect_rules
(
&
b
)
return
Set
.
new
if
@subject
.
nil?
@can
=
Set
.
new
@cannot
=
Set
.
new
yield
@can
-
@cannot
end
end
app/policies/project_policy.rb
View file @
1ca9b335
...
...
@@ -28,6 +28,7 @@ class ProjectPolicy < BasePolicy
can!
:update_issue
can!
:admin_issue
can!
:admin_label
can!
:admin_list
can!
:read_commit_status
can!
:read_build
can!
:read_container_image
...
...
@@ -48,6 +49,7 @@ class ProjectPolicy < BasePolicy
can!
:create_merge_request
can!
:create_wiki
can!
:push_code
can!
:resolve_note
can!
:create_container_image
can!
:update_container_image
can!
:create_environment
...
...
@@ -98,8 +100,8 @@ class ProjectPolicy < BasePolicy
end
# Push abilities on the users team role
def
team_access!
access
=
project
.
team
.
max_member_access
(
@
user
.
id
)
def
team_access!
(
user
)
access
=
project
.
team
.
max_member_access
(
user
.
id
)
return
if
access
<
Gitlab
::
Access
::
GUEST
guest_access!
...
...
@@ -140,7 +142,7 @@ class ProjectPolicy < BasePolicy
cannot!
(
*
named_abilities
(
:project_snippet
))
end
unless
project
.
wiki_enabled
unless
project
.
has_wiki?
cannot!
(
*
named_abilities
(
:wiki
))
end
...
...
@@ -156,16 +158,16 @@ class ProjectPolicy < BasePolicy
end
end
def
generate!
team_access!
def
rules
team_access!
(
user
)
owner
=
@
user
.
admin?
||
project
.
owner
==
@
user
||
(
project
.
group
&&
project
.
group
.
has_owner?
(
@
user
))
owner
=
user
.
admin?
||
project
.
owner
==
user
||
(
project
.
group
&&
project
.
group
.
has_owner?
(
user
))
owner_access!
if
owner
if
project
.
public?
||
(
project
.
internal?
&&
!
@
user
.
external?
)
if
project
.
public?
||
(
project
.
internal?
&&
!
user
.
external?
)
guest_access!
public_access!
...
...
@@ -173,7 +175,7 @@ class ProjectPolicy < BasePolicy
can!
:read_build
if
project
.
public_builds?
if
project
.
request_access_enabled
&&
!
(
owner
||
project
.
team
.
member?
(
@user
)
||
project_group_member?
)
!
(
owner
||
project
.
team
.
member?
(
user
)
||
project_group_member?
(
user
)
)
can!
:request_access
end
end
...
...
@@ -183,11 +185,35 @@ class ProjectPolicy < BasePolicy
disabled_features!
end
def
project_group_member?
def
anonymous_rules
return
unless
project
.
public?
can!
:read_project
can!
:read_board
can!
:read_list
can!
:read_wiki
can!
:read_label
can!
:read_milestone
can!
:read_project_snippet
can!
:read_project_member
can!
:read_merge_request
can!
:read_note
can!
:read_pipeline
can!
:read_commit_status
can!
:read_container_image
can!
:download_code
# Allow to read builds by anonymous user if guests are allowed
can!
:read_build
if
project
.
public_builds?
disabled_features!
end
def
project_group_member?
(
user
)
project
.
group
&&
(
project
.
group
.
members
.
exists?
(
user_id:
@
user
.
id
)
||
project
.
group
.
requesters
.
exists?
(
user_id:
@
user
.
id
)
project
.
group
.
members
.
exists?
(
user_id:
user
.
id
)
||
project
.
group
.
requesters
.
exists?
(
user_id:
user
.
id
)
)
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment