Commit 5ae28ca5 authored by Toon Claes's avatar Toon Claes

Add User#full_private_access? to check if user has Private access

In CE only the admin has access to all private groups & projects. In EE also an
auditor can have full private access.

To overcome merge conflicts, or accidental incorrect access rights, abstract
this out in `User#full_private_access?`.

`User#admin?` now only should be used for admin-only features. For private
access-related features `User#full_private_access?` should be used.

Backported from gitlab-org/gitlab-ee!2199
parent e76764ed
......@@ -41,7 +41,7 @@ class IssuesFinder < IssuableFinder
def self.not_restricted_by_confidentiality(user)
return Issue.where('issues.confidential IS NOT TRUE') if user.blank?
return Issue.all if user.admin_or_auditor?
return Issue.all if user.full_private_access?
Issue.where('
issues.confidential IS NOT TRUE
......
......@@ -62,7 +62,7 @@ module Elastic
end
def self.confidentiality_filter(query_hash, current_user)
return query_hash if current_user && current_user.admin_or_auditor?
return query_hash if current_user && current_user.full_private_access?
filter = if current_user
{
......
......@@ -65,7 +65,7 @@ module Elastic
end
def self.confidentiality_filter(query_hash, current_user)
return query_hash if current_user && current_user.admin_or_auditor?
return query_hash if current_user && current_user.full_private_access?
filter = {
bool: {
......
......@@ -59,7 +59,7 @@ module Elastic
end
def self.filter(query_hash, user)
return query_hash if user && user.admin_or_auditor?
return query_hash if user && user.full_private_access?
filter = if user
{
......
......@@ -52,10 +52,6 @@ module EE
license_allows_auditor_user? && self.auditor
end
def admin_or_auditor?
admin? || auditor?
end
def access_level
if auditor?
:auditor
......@@ -73,8 +69,8 @@ module EE
end
# Does the user have access to all private groups & projects?
def has_full_private_access?
admin_or_auditor?
def full_private_access?
super || auditor?
end
def remember_me!
......
......@@ -96,7 +96,7 @@ class ProjectFeature < ActiveRecord::Base
when DISABLED
false
when PRIVATE
user && (project.team.member?(user) || user.admin_or_auditor?)
user && (project.team.member?(user) || user.full_private_access?)
when ENABLED
true
else
......
......@@ -1016,7 +1016,8 @@ class User < ActiveRecord::Base
end
# Does the user have access to all private groups & projects?
def has_full_private_access?
# Overridden in EE to also check auditor?
def full_private_access?
admin?
end
......
......@@ -22,7 +22,7 @@ module Search
def elastic_projects
@elastic_projects ||=
if current_user.try(:admin_or_auditor?)
if current_user&.full_private_access?
:any
elsif current_user
current_user.authorized_projects.pluck(:id)
......
---
title: Add User#full_private_access? to check if user has access to all private groups & projects
merge_request: 12373
author:
......@@ -28,7 +28,7 @@ module Gitlab
def levels_for_user(user = nil)
return [PUBLIC] unless user
if user.has_full_private_access?
if user.full_private_access?
[PRIVATE, INTERNAL, PUBLIC]
elsif user.external?
[PUBLIC]
......
......@@ -66,11 +66,11 @@ describe EE::User, models: true do
end
end
describe '#has_full_private_access?' do
describe '#full_private_access?' do
it 'returns true for auditor user' do
user = build(:user, :auditor)
expect(user.has_full_private_access?).to be_truthy
expect(user.full_private_access?).to be_truthy
end
end
end
......@@ -1801,17 +1801,17 @@ describe User, models: true do
end
end
describe '#has_full_private_access?' do
describe '#full_private_access?' do
it 'returns false for regular user' do
user = build(:user)
expect(user.has_full_private_access?).to be_falsy
expect(user.full_private_access?).to be_falsy
end
it 'returns true for admin user' do
user = build(:user, :admin)
expect(user.has_full_private_access?).to be_truthy
expect(user.full_private_access?).to be_truthy
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment