Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
268157f9
Commit
268157f9
authored
Jun 27, 2017
by
http://jneen.net/
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
port the EE extensions to policies to the new framework
parent
9e28aca1
Changes
7
Hide whitespace changes
Inline
Side-by-side
Showing
7 changed files
with
95 additions
and
25 deletions
+95
-25
app/policies/base_policy.rb
app/policies/base_policy.rb
+10
-0
app/policies/ee/group_policy.rb
app/policies/ee/group_policy.rb
+15
-7
app/policies/ee/project_policy.rb
app/policies/ee/project_policy.rb
+53
-18
app/policies/group_member_policy.rb
app/policies/group_member_policy.rb
+8
-0
app/policies/group_policy.rb
app/policies/group_policy.rb
+2
-0
app/policies/project_policy.rb
app/policies/project_policy.rb
+2
-0
app/policies/project_snippet_policy.rb
app/policies/project_snippet_policy.rb
+5
-0
No files found.
app/policies/base_policy.rb
View file @
268157f9
...
@@ -10,4 +10,14 @@ class BasePolicy < DeclarativePolicy::Base
...
@@ -10,4 +10,14 @@ class BasePolicy < DeclarativePolicy::Base
with_options
scope: :user
,
score:
0
with_options
scope: :user
,
score:
0
condition
(
:can_create_group
)
{
@user
&
.
can_create_group
}
condition
(
:can_create_group
)
{
@user
&
.
can_create_group
}
# EE Extensions
with_scope
:user
condition
(
:auditor
,
score:
0
)
{
@user
&
.
auditor?
}
with_scope
:user
condition
(
:support_bot
,
score:
0
)
{
@user
&
.
support_bot?
}
with_scope
:global
condition
(
:license_block
)
{
License
.
block_changes?
}
end
end
app/policies/ee/group_policy.rb
View file @
268157f9
module
EE
module
EE
module
GroupPolicy
module
GroupPolicy
def
rules
extend
ActiveSupport
::
Concern
raise
NotImplementedError
unless
defined?
(
super
)
super
prepended
do
with_scope
:subject
condition
(
:ldap_synced
)
{
@subject
.
ldap_synced?
}
r
eturn
unless
@us
er
r
ule
{
ldap_synced
}.
prevent
:admin_group_memb
er
if
@subject
.
ldap_synced?
rule
{
ldap_synced
&
admin
}.
policy
do
cannot!
:admin
_group_member
enable
:override
_group_member
can!
:override_group_member
if
@user
.
admin?
||
@subject
.
has_owner?
(
@user
)
enable
:update_group_member
end
end
rule
{
ldap_synced
&
owner
}.
policy
do
enable
:override_group_member
enable
:update_group_member
end
rule
{
auditor
}.
enable
:read_group
end
end
end
end
end
end
app/policies/ee/project_policy.rb
View file @
268157f9
module
EE
module
EE
module
ProjectPolicy
module
ProjectPolicy
def
rules
extend
ActiveSupport
::
Concern
super
guest_access!
if
user
.
support_bot?
prepended
do
end
with_scope
:subject
condition
(
:service_desk_enabled
)
{
@subject
.
service_desk_enabled?
}
with_scope
:subject
condition
(
:related_issues_disabled
)
{
!
@subject
.
feature_available?
(
:related_issues
)
}
with_scope
:subject
condition
(
:deploy_board_disabled
)
{
!
@subject
.
feature_available?
(
:deploy_board
)
}
with_scope
:global
condition
(
:is_development
)
{
Rails
.
env
.
development?
}
rule
{
admin
}.
enable
:change_repository_storage
rule
{
support_bot
}.
enable
:guest_access
rule
{
support_bot
&
~
service_desk_enabled
}.
policy
do
prevent
:create_note
prevent
:read_project
end
def
disabled_features!
rule
{
license_block
}.
policy
do
raise
NotImplementedError
unless
defined?
(
super
)
prevent
:create_issue
prevent
:create_merge_request
prevent
:push_code
end
rule
{
related_issues_disabled
}.
policy
do
prevent
:read_issue_link
prevent
:admin_issue_link
end
super
rule
{
can?
(
:guest_access
)
}.
enable
:read_issue_link
if
License
.
block_changes?
rule
{
can?
(
:reporter_access
)
}.
policy
do
cannot!
:create_issue
enable
:admin_board
cannot!
:create_merge_request
enable
:read_deploy_board
cannot!
:push_code
enable
:admin_issue_link
cannot!
:push_code_to_protected_branches
end
end
if
@user
&
.
support_bot?
&&
!
@subject
.
service_desk_enabled?
rule
{
can?
(
:developer_access
)
}.
enable
:admin_board
cannot!
:create_note
cannot!
:read_project
rule
{
deploy_board_disabled
&
~
is_development
}.
prevent
:read_deploy_board
rule
{
can?
(
:master_access
)
}.
policy
do
enable
:push_code_to_protected_branches
enable
:admin_path_locks
end
end
unless
project
.
feature_available?
(
:related_issues
)
rule
{
auditor
}.
policy
do
cannot!
:read_issue_link
enable
:public_user_access
cannot!
:admin_issue_link
prevent
:request_access
enable
:read_build
enable
:read_environment
enable
:read_deployment
enable
:read_pages
end
end
rule
{
~
can?
(
:push_code
)
}.
prevent
:push_code_to_protected_branches
end
end
end
end
end
end
app/policies/group_member_policy.rb
View file @
268157f9
...
@@ -19,4 +19,12 @@ class GroupMemberPolicy < BasePolicy
...
@@ -19,4 +19,12 @@ class GroupMemberPolicy < BasePolicy
rule
{
is_target_user
}.
policy
do
rule
{
is_target_user
}.
policy
do
enable
:destroy_group_member
enable
:destroy_group_member
end
end
## EE extensions
condition
(
:ldap
,
score:
0
)
{
@subject
.
ldap?
}
condition
(
:override
,
score:
0
)
{
@subject
.
override?
}
rule
{
~
ldap
}.
prevent
:override_group_member
rule
{
ldap
&
~
override
}.
prevent
:update_group_member
end
end
app/policies/group_policy.rb
View file @
268157f9
class
GroupPolicy
<
BasePolicy
class
GroupPolicy
<
BasePolicy
prepend
EE
::
GroupPolicy
desc
"Group is public"
desc
"Group is public"
with_options
scope: :subject
,
score:
0
with_options
scope: :subject
,
score:
0
condition
(
:public_group
)
{
@subject
.
public?
}
condition
(
:public_group
)
{
@subject
.
public?
}
...
...
app/policies/project_policy.rb
View file @
268157f9
class
ProjectPolicy
<
BasePolicy
class
ProjectPolicy
<
BasePolicy
prepend
EE
::
ProjectPolicy
def
self
.
create_read_update_admin
(
name
)
def
self
.
create_read_update_admin
(
name
)
[
[
:"create_
#{
name
}
"
,
:"create_
#{
name
}
"
,
...
...
app/policies/project_snippet_policy.rb
View file @
268157f9
...
@@ -27,6 +27,7 @@ class ProjectSnippetPolicy < BasePolicy
...
@@ -27,6 +27,7 @@ class ProjectSnippetPolicy < BasePolicy
all?
(
private_snippet
|
(
internal
&
external_user
),
all?
(
private_snippet
|
(
internal
&
external_user
),
~
project
.
guest
,
~
project
.
guest
,
~
admin
,
~
admin
,
~
auditor
,
~
is_author
)
~
is_author
)
end
.
prevent
:read_project_snippet
end
.
prevent
:read_project_snippet
...
@@ -42,4 +43,8 @@ class ProjectSnippetPolicy < BasePolicy
...
@@ -42,4 +43,8 @@ class ProjectSnippetPolicy < BasePolicy
enable
:update_project_snippet
enable
:update_project_snippet
enable
:admin_project_snippet
enable
:admin_project_snippet
end
end
# EE Extensions
rule
{
auditor
}.
enable
:read_project_snippet
end
end
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment