Commit 632ee3a6 authored by Luke Duncalfe's avatar Luke Duncalfe

Move Design Management Policies to FOSS

This change is part of
https://gitlab.com/gitlab-org/gitlab/-/issues/212566 to move all Design
Management code to FOSS.
parent b552de11
...@@ -15,6 +15,9 @@ class IssuePolicy < IssuablePolicy ...@@ -15,6 +15,9 @@ class IssuePolicy < IssuablePolicy
desc "Issue is confidential" desc "Issue is confidential"
condition(:confidential, scope: :subject) { @subject.confidential? } condition(:confidential, scope: :subject) { @subject.confidential? }
desc "Issue has moved"
condition(:moved) { @subject.moved? }
rule { confidential & ~can_read_confidential }.policy do rule { confidential & ~can_read_confidential }.policy do
prevent(*create_read_update_admin_destroy(:issue)) prevent(*create_read_update_admin_destroy(:issue))
prevent :read_issue_iid prevent :read_issue_iid
...@@ -25,6 +28,15 @@ class IssuePolicy < IssuablePolicy ...@@ -25,6 +28,15 @@ class IssuePolicy < IssuablePolicy
rule { locked }.policy do rule { locked }.policy do
prevent :reopen_issue prevent :reopen_issue
end end
end
IssuePolicy.prepend_if_ee('::EE::IssuePolicy') rule { ~can?(:read_issue) }.policy do
prevent :read_design
prevent :create_design
prevent :destroy_design
end
rule { locked | moved }.policy do
prevent :create_design
prevent :destroy_design
end
end
...@@ -11,6 +11,7 @@ class ProjectPolicy < BasePolicy ...@@ -11,6 +11,7 @@ class ProjectPolicy < BasePolicy
milestone milestone
snippet snippet
wiki wiki
design
note note
pipeline pipeline
pipeline_schedule pipeline_schedule
...@@ -107,6 +108,11 @@ class ProjectPolicy < BasePolicy ...@@ -107,6 +108,11 @@ class ProjectPolicy < BasePolicy
) )
end end
with_scope :subject
condition(:design_management_disabled) do
!@subject.design_management_enabled?
end
# We aren't checking `:read_issue` or `:read_merge_request` in this case # We aren't checking `:read_issue` or `:read_merge_request` in this case
# because it could be possible for a user to see an issuable-iid # because it could be possible for a user to see an issuable-iid
# (`:read_issue_iid` or `:read_merge_request_iid`) but then wouldn't be # (`:read_issue_iid` or `:read_merge_request_iid`) but then wouldn't be
...@@ -299,6 +305,8 @@ class ProjectPolicy < BasePolicy ...@@ -299,6 +305,8 @@ class ProjectPolicy < BasePolicy
enable :create_metrics_dashboard_annotation enable :create_metrics_dashboard_annotation
enable :delete_metrics_dashboard_annotation enable :delete_metrics_dashboard_annotation
enable :update_metrics_dashboard_annotation enable :update_metrics_dashboard_annotation
enable :create_design
enable :destroy_design
end end
rule { can?(:developer_access) & user_confirmed? }.policy do rule { can?(:developer_access) & user_confirmed? }.policy do
...@@ -511,6 +519,17 @@ class ProjectPolicy < BasePolicy ...@@ -511,6 +519,17 @@ class ProjectPolicy < BasePolicy
rule { admin }.enable :change_repository_storage rule { admin }.enable :change_repository_storage
rule { can?(:read_issue) }.policy do
enable :read_design
end
# Design abilities could also be prevented in the issue policy.
rule { design_management_disabled }.policy do
prevent :read_design
prevent :create_design
prevent :destroy_design
end
private private
def team_member? def team_member?
......
# frozen_string_literal: true
module EE
module IssuePolicy
extend ActiveSupport::Concern
prepended do
condition(:moved) { @subject.moved? }
rule { ~can?(:read_issue) }.policy do
prevent :read_design
prevent :create_design
prevent :destroy_design
end
rule { locked | moved }.policy do
prevent :create_design
prevent :destroy_design
end
end
end
end
...@@ -14,7 +14,6 @@ module EE ...@@ -14,7 +14,6 @@ module EE
license_management license_management
feature_flag feature_flag
feature_flags_client feature_flags_client
design
].freeze ].freeze
prepended do prepended do
...@@ -112,11 +111,6 @@ module EE ...@@ -112,11 +111,6 @@ module EE
!@subject.feature_available?(:feature_flags) !@subject.feature_available?(:feature_flags)
end end
with_scope :subject
condition(:design_management_disabled) do
!@subject.design_management_enabled?
end
with_scope :subject with_scope :subject
condition(:code_review_analytics_enabled) do condition(:code_review_analytics_enabled) do
@subject.feature_available?(:code_review_analytics, @user) @subject.feature_available?(:code_review_analytics, @user)
...@@ -157,7 +151,6 @@ module EE ...@@ -157,7 +151,6 @@ module EE
rule { can?(:read_issue) }.policy do rule { can?(:read_issue) }.policy do
enable :read_issue_link enable :read_issue_link
enable :read_design
end end
rule { can?(:reporter_access) }.policy do rule { can?(:reporter_access) }.policy do
...@@ -182,8 +175,6 @@ module EE ...@@ -182,8 +175,6 @@ module EE
enable :destroy_feature_flag enable :destroy_feature_flag
enable :admin_feature_flag enable :admin_feature_flag
enable :admin_feature_flags_user_lists enable :admin_feature_flags_user_lists
enable :create_design
enable :destroy_design
end end
rule { can?(:public_access) }.enable :read_package rule { can?(:public_access) }.enable :read_package
...@@ -345,14 +336,6 @@ module EE ...@@ -345,14 +336,6 @@ module EE
rule { web_ide_terminal_available & can?(:create_pipeline) & can?(:maintainer_access) }.enable :create_web_ide_terminal rule { web_ide_terminal_available & can?(:create_pipeline) & can?(:maintainer_access) }.enable :create_web_ide_terminal
# Design abilities could also be prevented in the issue policy.
# If the user cannot read the issue, then they cannot see the designs.
rule { design_management_disabled }.policy do
prevent :read_design
prevent :create_design
prevent :destroy_design
end
rule { build_service_proxy_enabled }.enable :build_service_proxy_enabled rule { build_service_proxy_enabled }.enable :build_service_proxy_enabled
rule { can?(:read_merge_request) & code_review_analytics_enabled }.enable :read_code_review_analytics rule { can?(:read_merge_request) & code_review_analytics_enabled }.enable :read_code_review_analytics
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment