Merge branch 'chore/rename-user-full-private-access' into 'master'

chore: rename User#full_private_access? to User#can_read_all_resources? Closes #34856 See merge request gitlab-org/gitlab!21668

Merge branch 'chore/rename-user-full-private-access' into 'master'
chore: rename User#full_private_access? to User#can_read_all_resources? Closes #34856 See merge request gitlab-org/gitlab!21668
a98b8302 · Imre Farkas · f25dfc80 · c674c9ea · a98b8302 · a98b8302
Commit a98b8302 authored Dec 17, 2019 by Imre Farkas
22 changed files
--- a/app/finders/groups_finder.rb
+++ b/app/finders/groups_finder.rb
@@ -45,7 +45,7 @@ class GroupsFinder < UnionFinder
  def all_groups
    return [owned_groups] if params[:owned]
    return [groups_with_min_access_level] if min_access_level?
-    return [Group.all] if current_user&.full_private_access? && all_available?
+    return [Group.all] if current_user&.can_read_all_resources? && all_available?
    groups = []
    groups << Gitlab::ObjectHierarchy.new(groups_for_ancestors, groups_for_descendants).all_objects if current_user

--- a/app/finders/issues_finder.rb
+++ b/app/finders/issues_finder.rb
@@ -127,7 +127,7 @@ class IssuesFinder < IssuableFinder
    return @user_can_see_all_confidential_issues if defined?(@user_can_see_all_confidential_issues)
    return @user_can_see_all_confidential_issues = false if current_user.blank?
-    return @user_can_see_all_confidential_issues = true if current_user.full_private_access?
+    return @user_can_see_all_confidential_issues = true if current_user.can_read_all_resources?
    @user_can_see_all_confidential_issues =
      if project? && project

--- a/app/models/issue.rb
+++ b/app/models/issue.rb
@@ -242,7 +242,7 @@ class Issue < ApplicationRecord
    return false unless readable_by?(user)
-    user.full_private_access? ||
+    user.can_read_all_resources? ||
      ::Gitlab::ExternalAuthorization.access_allowed?(
        user, project.external_authorization_classification_label)
  end

--- a/app/models/project_feature.rb
+++ b/app/models/project_feature.rb
@@ -186,7 +186,7 @@ class ProjectFeature < ApplicationRecord
  def team_access?(user, feature)
    return unless user
-    return true if user.full_private_access?
+    return true if user.can_read_all_resources?
    project.team.member?(user, ProjectFeature.required_minimum_access_level(feature))
  end

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -1473,9 +1473,7 @@ class User < ApplicationRecord
    self.admin = (new_level == 'admin')
  end
-  # Does the user have access to all private groups & projects?
+  def can_read_all_resources?
-  # Overridden in EE to also check auditor?
-  def full_private_access?
    can?(:read_all_resources)
  end

--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -40,6 +40,7 @@ class BasePolicy < DeclarativePolicy::Base
    prevent :read_cross_project
  end
+  # Policy extended in EE to also enable auditors
  rule { admin }.enable :read_all_resources
  rule { default }.enable :read_cross_project

--- a/changelogs/unreleased/chore-rename-user-full-private-access.yml
+++ b/changelogs/unreleased/chore-rename-user-full-private-access.yml
+---
+title: Rename User#full_private_access? to User#can_read_all_resources?
+merge_request: 21668
+author: Diego Louzán
+type: other
--- a/ee/app/services/ee/search/global_service.rb
+++ b/ee/app/services/ee/search/global_service.rb
@@ -26,7 +26,7 @@ module EE
      def elastic_projects
        strong_memoize(:elastic_projects) do
-          if current_user&.full_private_access?
+          if current_user&.can_read_all_resources?
            :any
          elsif current_user
            current_user.authorized_projects.pluck(:id) # rubocop: disable CodeReuse/ActiveRecord

--- a/ee/lib/elastic/latest/application_class_proxy.rb
+++ b/ee/lib/elastic/latest/application_class_proxy.rb
@@ -181,7 +181,7 @@ module Elastic
      def pick_projects_by_visibility(visibility, user, features)
        condition = { term: { visibility_level: visibility } }
-        limit_by_feature(condition, features, include_members_only: user&.full_private_access?)
+        limit_by_feature(condition, features, include_members_only: user&.can_read_all_resources?)
      end
      # If a project feature(s) is specified, access is dependent on its visibility

--- a/ee/lib/elastic/latest/issue_class_proxy.rb
+++ b/ee/lib/elastic/latest/issue_class_proxy.rb
@@ -21,7 +21,7 @@ module Elastic
      private
      def confidentiality_filter(query_hash, current_user)
-        return query_hash if current_user && current_user.full_private_access?
+        return query_hash if current_user && current_user.can_read_all_resources?
        filter =
          if current_user

--- a/ee/lib/elastic/latest/note_class_proxy.rb
+++ b/ee/lib/elastic/latest/note_class_proxy.rb
@@ -29,7 +29,7 @@ module Elastic
      private
      def confidentiality_filter(query_hash, current_user)
-        return query_hash if current_user&.full_private_access?
+        return query_hash if current_user&.can_read_all_resources?
        filter = {
          bool: {

--- a/ee/lib/elastic/latest/snippet_class_proxy.rb
+++ b/ee/lib/elastic/latest/snippet_class_proxy.rb
@@ -25,7 +25,7 @@ module Elastic
      def filter(query_hash, options)
        user = options[:current_user]
-        return query_hash if user&.full_private_access?
+        return query_hash if user&.can_read_all_resources?
        filter_conditions =
          filter_personal_snippets(user, options) +

--- a/ee/spec/lib/gitlab/elastic/snippet_search_results_spec.rb
+++ b/ee/spec/lib/gitlab/elastic/snippet_search_results_spec.rb
@@ -52,7 +52,7 @@ describe Gitlab::Elastic::SnippetSearchResults, :elastic, :sidekiq_might_not_nee
    end
  end
-  context 'when user has full_private_access', :do_not_mock_admin_mode do
+  context 'when user has read_all_resources', :do_not_mock_admin_mode do
    include_context 'custom session'
    let(:user) { create(:admin) }

--- a/ee/spec/models/user_spec.rb
+++ b/ee/spec/models/user_spec.rb
@@ -228,11 +228,11 @@ describe User do
    end
  end
-  describe '#full_private_access?' do
+  describe '#can_read_all_resources?' do
    it 'returns true for auditor user' do
      user = build(:user, :auditor)
-      expect(user.full_private_access?).to be_truthy
+      expect(user.can_read_all_resources?).to be_truthy
    end
  end

--- a/lib/api/groups.rb
+++ b/lib/api/groups.rb
@@ -31,7 +31,7 @@ module API
        find_params = params.slice(:all_available, :custom_attributes, :owned, :min_access_level)
        find_params[:parent] = find_group!(parent_id) if parent_id
        find_params[:all_available] =
-          find_params.fetch(:all_available, current_user&.full_private_access?)
+          find_params.fetch(:all_available, current_user&.can_read_all_resources?)
        groups = GroupsFinder.new(current_user, find_params).execute
        groups = groups.search(params[:search]) if params[:search].present?

--- a/lib/api/helpers.rb
+++ b/lib/api/helpers.rb
@@ -213,9 +213,9 @@ module API
      unauthorized! unless Devise.secure_compare(secret_token, input)
    end
-    def authenticated_with_full_private_access!
+    def authenticated_with_can_read_all_resources!
      authenticate!
-      forbidden! unless current_user.full_private_access?
+      forbidden! unless current_user.can_read_all_resources?
    end
    def authenticated_as_admin!

--- a/lib/api/helpers/project_snapshots_helpers.rb
+++ b/lib/api/helpers/project_snapshots_helpers.rb
@@ -6,7 +6,7 @@ module API
      prepend_if_ee('::EE::API::Helpers::ProjectSnapshotsHelpers') # rubocop: disable Cop/InjectEnterpriseEditionModule
      def authorize_read_git_snapshot!
-        authenticated_with_full_private_access!
+        authenticated_with_can_read_all_resources!
      end
      def send_git_snapshot(repository)

--- a/lib/api/keys.rb
+++ b/lib/api/keys.rb
@@ -24,7 +24,7 @@ module API
        requires :fingerprint, type: String, desc: 'Search for a SSH fingerprint'
      end
      get do
-        authenticated_with_full_private_access!
+        authenticated_with_can_read_all_resources!
        finder_params = params.merge(key_type: 'ssh')

--- a/lib/api/pages.rb
+++ b/lib/api/pages.rb
@@ -4,7 +4,7 @@ module API
  class Pages < Grape::API
    before do
      require_pages_config_enabled!
-      authenticated_with_full_private_access!
+      authenticated_with_can_read_all_resources!
    end
    params do

--- a/lib/api/pages_domains.rb
+++ b/lib/api/pages_domains.rb
@@ -37,7 +37,7 @@ module API
    resource :pages do
      before do
        require_pages_config_enabled!
-        authenticated_with_full_private_access!
+        authenticated_with_can_read_all_resources!
      end
      desc "Get all pages domains" do

--- a/lib/gitlab/visibility_level.rb
+++ b/lib/gitlab/visibility_level.rb
@@ -29,7 +29,7 @@ module Gitlab
      def levels_for_user(user = nil)
        return [PUBLIC] unless user
-        if user.full_private_access?
+        if user.can_read_all_resources?
          [PRIVATE, INTERNAL, PUBLIC]
        elsif user.external?
          [PUBLIC]

--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -2894,11 +2894,11 @@ describe User, :do_not_mock_admin_mode do
    end
  end
-  describe '#full_private_access?' do
+  describe '#can_read_all_resources?' do
    it 'returns false for regular user' do
      user = build(:user)
-      expect(user.full_private_access?).to be_falsy
+      expect(user.can_read_all_resources?).to be_falsy
    end
    context 'for admin user' do
@@ -2908,7 +2908,7 @@ describe User, :do_not_mock_admin_mode do
      context 'when admin mode is disabled' do
        it 'returns false' do
-          expect(user.full_private_access?).to be_falsy
+          expect(user.can_read_all_resources?).to be_falsy
        end
      end
@@ -2919,7 +2919,7 @@ describe User, :do_not_mock_admin_mode do
        end
        it 'returns true' do
-          expect(user.full_private_access?).to be_truthy
+          expect(user.can_read_all_resources?).to be_truthy
        end
      end
    end