Use can? policies for lib/api/runners.rb

7320684c · Dylan Griffith · 846f73b5 · 7320684c · 7320684c
Commit 7320684c authored May 09, 2018 by Dylan Griffith
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 13 deletions

app/policies/ci/runner_policy.rb app/policies/ci/runner_policy.rb +4 -4

lib/api/runners.rb lib/api/runners.rb +5 -9

No files found.
--- a/app/policies/ci/runner_policy.rb
+++ b/app/policies/ci/runner_policy.rb
 module Ci
  class RunnerPolicy < BasePolicy
-    with_options scope: :subject, score: 0
-    condition(:shared) { @subject.is_shared? }
-
    with_options scope: :subject, score: 0
    condition(:locked, scope: :subject) { @subject.locked? }

@@ -10,7 +7,10 @@ module Ci

    rule { anonymous }.prevent_all
    rule { admin | authorized_runner }.enable :assign_runner
-    rule { ~admin & shared }.prevent :assign_runner
+    rule { admin | authorized_runner }.enable :read_runner
+    rule { admin | authorized_runner }.enable :update_runner
+    rule { admin | authorized_runner }.enable :delete_runner
+    rule { admin | authorized_runner }.enable :list_runner_jobs
    rule { ~admin & locked }.prevent :assign_runner
  end
 end
--- a/lib/api/runners.rb
+++ b/lib/api/runners.rb
@@ -184,14 +184,14 @@ module API
      def authenticate_show_runner!(runner)
        return if runner.is_shared || current_user.admin?

-        forbidden!("No access granted") unless user_can_access_runner?(runner)
+        forbidden!("No access granted") unless can?(current_user, :read_runner, runner)
      end

      def authenticate_update_runner!(runner)
        return if current_user.admin?

        forbidden!("Runner is shared") if runner.is_shared?
-        forbidden!("No access granted") unless user_can_access_runner?(runner)
+        forbidden!("No access granted") unless can?(current_user, :update_runner, runner)
      end

      def authenticate_delete_runner!(runner)
@@ -199,7 +199,7 @@ module API

        forbidden!("Runner is shared") if runner.is_shared?
        forbidden!("Runner associated with more than one project") if runner.projects.count > 1
-        forbidden!("No access granted") unless user_can_access_runner?(runner)
+        forbidden!("No access granted") unless can?(current_user, :delete_runner, runner)
      end

      def authenticate_enable_runner!(runner)
@@ -208,17 +208,13 @@ module API
        forbidden!("Runner is a group runner") if runner.group_type?
        return if current_user.admin?

-        forbidden!("No access granted") unless user_can_access_runner?(runner)
+        forbidden!("No access granted") unless can?(current_user, :assign_runner, runner)
      end

      def authenticate_list_runners_jobs!(runner)
        return if current_user.admin?

-        forbidden!("No access granted") unless user_can_access_runner?(runner)
-      end
-
-      def user_can_access_runner?(runner)
-        current_user.ci_authorized_runners.exists?(runner.id)
+        forbidden!("No access granted") unless can?(current_user, :list_runner_jobs, runner)
      end
    end
  end