port the EE extensions to policies to the new framework

268157f9 · http://jneen.net/ · 9e28aca1 · 268157f9 · 268157f9 · 268157f9
Commit 268157f9 authored Jun 27, 2017 by http://jneen.net/
7 changed files
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -10,4 +10,14 @@ class BasePolicy < DeclarativePolicy::Base

  with_options scope: :user, score: 0
  condition(:can_create_group) { @user&.can_create_group }
+
+  # EE Extensions
+  with_scope :user
+  condition(:auditor, score: 0) { @user&.auditor? }
+
+  with_scope :user
+  condition(:support_bot, score: 0) { @user&.support_bot? }
+
+  with_scope :global
+  condition(:license_block) { License.block_changes? }
 end
--- a/app/policies/ee/group_policy.rb
+++ b/app/policies/ee/group_policy.rb
 module EE
  module GroupPolicy
-    def rules
-      raise NotImplementedError unless defined?(super)
+    extend ActiveSupport::Concern

-      super
+    prepended do
+      with_scope :subject
+      condition(:ldap_synced) { @subject.ldap_synced? }

-      return unless @user
+      rule { ldap_synced }.prevent :admin_group_member

-      if @subject.ldap_synced?
-        cannot! :admin_group_member
-        can! :override_group_member if @user.admin? || @subject.has_owner?(@user)
+      rule { ldap_synced & admin }.policy do
+        enable :override_group_member
+        enable :update_group_member
      end
+
+      rule { ldap_synced & owner }.policy do
+        enable :override_group_member
+        enable :update_group_member
+      end
+
+      rule { auditor }.enable :read_group
    end
  end
 end
--- a/app/policies/ee/project_policy.rb
+++ b/app/policies/ee/project_policy.rb
 module EE
  module ProjectPolicy
-    def rules
-      super
+    extend ActiveSupport::Concern

-      guest_access! if user.support_bot?
-    end
+    prepended do
+      with_scope :subject
+      condition(:service_desk_enabled) { @subject.service_desk_enabled? }
+
+      with_scope :subject
+      condition(:related_issues_disabled) { !@subject.feature_available?(:related_issues) }
+
+      with_scope :subject
+      condition(:deploy_board_disabled) { !@subject.feature_available?(:deploy_board) }
+
+      with_scope :global
+      condition(:is_development) { Rails.env.development? }
+
+      rule { admin }.enable :change_repository_storage
+
+      rule { support_bot }.enable :guest_access
+      rule { support_bot & ~service_desk_enabled }.policy do
+        prevent :create_note
+        prevent :read_project
+      end

-    def disabled_features!
-      raise NotImplementedError unless defined?(super)
+      rule { license_block }.policy do
+        prevent :create_issue
+        prevent :create_merge_request
+        prevent :push_code
+      end
+
+      rule { related_issues_disabled }.policy do
+        prevent :read_issue_link
+        prevent :admin_issue_link
+      end

-      super
+      rule { can?(:guest_access) }.enable :read_issue_link

-      if License.block_changes?
-        cannot! :create_issue
-        cannot! :create_merge_request
-        cannot! :push_code
-        cannot! :push_code_to_protected_branches
+      rule { can?(:reporter_access) }.policy do
+        enable :admin_board
+        enable :read_deploy_board
+        enable :admin_issue_link
      end

-      if @user&.support_bot? && !@subject.service_desk_enabled?
-        cannot! :create_note
-        cannot! :read_project
+      rule { can?(:developer_access) }.enable :admin_board
+
+      rule { deploy_board_disabled & ~is_development }.prevent :read_deploy_board
+
+      rule { can?(:master_access) }.policy do
+        enable :push_code_to_protected_branches
+        enable :admin_path_locks
      end

-      unless project.feature_available?(:related_issues)
-        cannot! :read_issue_link
-        cannot! :admin_issue_link
+      rule { auditor }.policy do
+        enable :public_user_access
+        prevent :request_access
+
+        enable :read_build
+        enable :read_environment
+        enable :read_deployment
+        enable :read_pages
      end
+
+      rule { ~can?(:push_code) }.prevent :push_code_to_protected_branches
    end
  end
 end
--- a/app/policies/group_member_policy.rb
+++ b/app/policies/group_member_policy.rb
@@ -19,4 +19,12 @@ class GroupMemberPolicy < BasePolicy
  rule { is_target_user }.policy do
    enable :destroy_group_member
  end
+
+  ## EE extensions
+
+  condition(:ldap, score: 0) { @subject.ldap? }
+  condition(:override, score: 0) { @subject.override? }
+
+  rule { ~ldap }.prevent :override_group_member
+  rule { ldap & ~override }.prevent :update_group_member
 end
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
 class GroupPolicy < BasePolicy
+  prepend EE::GroupPolicy
+
  desc "Group is public"
  with_options scope: :subject, score: 0
  condition(:public_group) { @subject.public? }

--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
 class ProjectPolicy < BasePolicy
+  prepend EE::ProjectPolicy
+
  def self.create_read_update_admin(name)
    [
      :"create_#{name}",

--- a/app/policies/project_snippet_policy.rb
+++ b/app/policies/project_snippet_policy.rb
@@ -27,6 +27,7 @@ class ProjectSnippetPolicy < BasePolicy
    all?(private_snippet | (internal & external_user),
         ~project.guest,
         ~admin,
+         ~auditor,
         ~is_author)
  end.prevent :read_project_snippet

@@ -42,4 +43,8 @@ class ProjectSnippetPolicy < BasePolicy
    enable :update_project_snippet
    enable :admin_project_snippet
  end
+
+  # EE Extensions
+
+  rule { auditor }.enable :read_project_snippet
 end