port the EE extensions to policies to the new framework

app/policies/base_policy.rb

@@ -10,4 +10,14 @@ class BasePolicy < DeclarativePolicy::Base
 
   with_options scope: :user, score: 0
   condition(:can_create_group) { @user&.can_create_group }
+
+  # EE Extensions
+  with_scope :user
+  condition(:auditor, score: 0) { @user&.auditor? }
+
+  with_scope :user
+  condition(:support_bot, score: 0) { @user&.support_bot? }
+
+  with_scope :global
+  condition(:license_block) { License.block_changes? }
 end

app/policies/ee/group_policy.rb

 module EE
   module GroupPolicy
-    def rules
-      raise NotImplementedError unless defined?(super)
+    extend ActiveSupport::Concern
 
-      super
+    prepended do
+      with_scope :subject
+      condition(:ldap_synced) { @subject.ldap_synced? }
 
-      return unless @user
+      rule { ldap_synced }.prevent :admin_group_member
 
-      if @subject.ldap_synced?
-        cannot! :admin_group_member
-        can! :override_group_member if @user.admin? || @subject.has_owner?(@user)
+      rule { ldap_synced & admin }.policy do
+        enable :override_group_member
+        enable :update_group_member
       end
+
+      rule { ldap_synced & owner }.policy do
+        enable :override_group_member
+        enable :update_group_member
+      end
+
+      rule { auditor }.enable :read_group
     end
   end
 end

app/policies/ee/project_policy.rb

 module EE
   module ProjectPolicy
-    def rules
-      super
+    extend ActiveSupport::Concern
 
-      guest_access! if user.support_bot?
+    prepended do
+      with_scope :subject
+      condition(:service_desk_enabled) { @subject.service_desk_enabled? }
+
+      with_scope :subject
+      condition(:related_issues_disabled) { !@subject.feature_available?(:related_issues) }
+
+      with_scope :subject
+      condition(:deploy_board_disabled) { !@subject.feature_available?(:deploy_board) }
+
+      with_scope :global
+      condition(:is_development) { Rails.env.development? }
+
+      rule { admin }.enable :change_repository_storage
+
+      rule { support_bot }.enable :guest_access
+      rule { support_bot & ~service_desk_enabled }.policy do
+        prevent :create_note
+        prevent :read_project
+      end
+
+      rule { license_block }.policy do
+        prevent :create_issue
+        prevent :create_merge_request
+        prevent :push_code
       end
 
-    def disabled_features!
-      raise NotImplementedError unless defined?(super)
+      rule { related_issues_disabled }.policy do
+        prevent :read_issue_link
+        prevent :admin_issue_link
+      end
 
-      super
+      rule { can?(:guest_access) }.enable :read_issue_link
 
-      if License.block_changes?
-        cannot! :create_issue
-        cannot! :create_merge_request
-        cannot! :push_code
-        cannot! :push_code_to_protected_branches
+      rule { can?(:reporter_access) }.policy do
+        enable :admin_board
+        enable :read_deploy_board
+        enable :admin_issue_link
       end
 
-      if @user&.support_bot? && !@subject.service_desk_enabled?
-        cannot! :create_note
-        cannot! :read_project
+      rule { can?(:developer_access) }.enable :admin_board
+
+      rule { deploy_board_disabled & ~is_development }.prevent :read_deploy_board
+
+      rule { can?(:master_access) }.policy do
+        enable :push_code_to_protected_branches
+        enable :admin_path_locks
       end
 
-      unless project.feature_available?(:related_issues)
-        cannot! :read_issue_link
-        cannot! :admin_issue_link
+      rule { auditor }.policy do
+        enable :public_user_access
+        prevent :request_access
+
+        enable :read_build
+        enable :read_environment
+        enable :read_deployment
+        enable :read_pages
       end
+
+      rule { ~can?(:push_code) }.prevent :push_code_to_protected_branches
     end
   end
 end

app/policies/group_member_policy.rb

@@ -19,4 +19,12 @@ class GroupMemberPolicy < BasePolicy
   rule { is_target_user }.policy do
     enable :destroy_group_member
   end
+
+  ## EE extensions
+
+  condition(:ldap, score: 0) { @subject.ldap? }
+  condition(:override, score: 0) { @subject.override? }
+
+  rule { ~ldap }.prevent :override_group_member
+  rule { ldap & ~override }.prevent :update_group_member
 end

app/policies/group_policy.rb

 class GroupPolicy < BasePolicy
+  prepend EE::GroupPolicy
+
   desc "Group is public"
   with_options scope: :subject, score: 0
   condition(:public_group) { @subject.public? }

app/policies/project_policy.rb

 class ProjectPolicy < BasePolicy
+  prepend EE::ProjectPolicy
+
   def self.create_read_update_admin(name)
     [
       :"create_#{name}",

app/policies/project_snippet_policy.rb

@@ -27,6 +27,7 @@ class ProjectSnippetPolicy < BasePolicy
     all?(private_snippet | (internal & external_user),
          ~project.guest,
          ~admin,
+         ~auditor,
          ~is_author)
   end.prevent :read_project_snippet
 
@@ -42,4 +43,8 @@ class ProjectSnippetPolicy < BasePolicy
     enable :update_project_snippet
     enable :admin_project_snippet
   end
+
+  # EE Extensions
+
+  rule { auditor }.enable :read_project_snippet
 end