Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
c674c9ea
Commit
c674c9ea
authored
Dec 17, 2019
by
Diego Louzán
Committed by
Imre Farkas
Dec 17, 2019
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
chore: rename User#full_private_access? to User#can_read_all_resources?
Technical debt triggered from admin mode feature
parent
f25dfc80
Changes
22
Show whitespace changes
Inline
Side-by-side
Showing
22 changed files
with
31 additions
and
27 deletions
+31
-27
app/finders/groups_finder.rb
app/finders/groups_finder.rb
+1
-1
app/finders/issues_finder.rb
app/finders/issues_finder.rb
+1
-1
app/models/issue.rb
app/models/issue.rb
+1
-1
app/models/project_feature.rb
app/models/project_feature.rb
+1
-1
app/models/user.rb
app/models/user.rb
+1
-3
app/policies/base_policy.rb
app/policies/base_policy.rb
+1
-0
changelogs/unreleased/chore-rename-user-full-private-access.yml
...logs/unreleased/chore-rename-user-full-private-access.yml
+5
-0
ee/app/services/ee/search/global_service.rb
ee/app/services/ee/search/global_service.rb
+1
-1
ee/lib/elastic/latest/application_class_proxy.rb
ee/lib/elastic/latest/application_class_proxy.rb
+1
-1
ee/lib/elastic/latest/issue_class_proxy.rb
ee/lib/elastic/latest/issue_class_proxy.rb
+1
-1
ee/lib/elastic/latest/note_class_proxy.rb
ee/lib/elastic/latest/note_class_proxy.rb
+1
-1
ee/lib/elastic/latest/snippet_class_proxy.rb
ee/lib/elastic/latest/snippet_class_proxy.rb
+1
-1
ee/spec/lib/gitlab/elastic/snippet_search_results_spec.rb
ee/spec/lib/gitlab/elastic/snippet_search_results_spec.rb
+1
-1
ee/spec/models/user_spec.rb
ee/spec/models/user_spec.rb
+2
-2
lib/api/groups.rb
lib/api/groups.rb
+1
-1
lib/api/helpers.rb
lib/api/helpers.rb
+2
-2
lib/api/helpers/project_snapshots_helpers.rb
lib/api/helpers/project_snapshots_helpers.rb
+1
-1
lib/api/keys.rb
lib/api/keys.rb
+1
-1
lib/api/pages.rb
lib/api/pages.rb
+1
-1
lib/api/pages_domains.rb
lib/api/pages_domains.rb
+1
-1
lib/gitlab/visibility_level.rb
lib/gitlab/visibility_level.rb
+1
-1
spec/models/user_spec.rb
spec/models/user_spec.rb
+4
-4
No files found.
app/finders/groups_finder.rb
View file @
c674c9ea
...
...
@@ -45,7 +45,7 @@ class GroupsFinder < UnionFinder
def
all_groups
return
[
owned_groups
]
if
params
[
:owned
]
return
[
groups_with_min_access_level
]
if
min_access_level?
return
[
Group
.
all
]
if
current_user
&
.
full_private_acces
s?
&&
all_available?
return
[
Group
.
all
]
if
current_user
&
.
can_read_all_resource
s?
&&
all_available?
groups
=
[]
groups
<<
Gitlab
::
ObjectHierarchy
.
new
(
groups_for_ancestors
,
groups_for_descendants
).
all_objects
if
current_user
...
...
app/finders/issues_finder.rb
View file @
c674c9ea
...
...
@@ -127,7 +127,7 @@ class IssuesFinder < IssuableFinder
return
@user_can_see_all_confidential_issues
if
defined?
(
@user_can_see_all_confidential_issues
)
return
@user_can_see_all_confidential_issues
=
false
if
current_user
.
blank?
return
@user_can_see_all_confidential_issues
=
true
if
current_user
.
full_private_acces
s?
return
@user_can_see_all_confidential_issues
=
true
if
current_user
.
can_read_all_resource
s?
@user_can_see_all_confidential_issues
=
if
project?
&&
project
...
...
app/models/issue.rb
View file @
c674c9ea
...
...
@@ -242,7 +242,7 @@ class Issue < ApplicationRecord
return
false
unless
readable_by?
(
user
)
user
.
full_private_acces
s?
||
user
.
can_read_all_resource
s?
||
::
Gitlab
::
ExternalAuthorization
.
access_allowed?
(
user
,
project
.
external_authorization_classification_label
)
end
...
...
app/models/project_feature.rb
View file @
c674c9ea
...
...
@@ -186,7 +186,7 @@ class ProjectFeature < ApplicationRecord
def
team_access?
(
user
,
feature
)
return
unless
user
return
true
if
user
.
full_private_acces
s?
return
true
if
user
.
can_read_all_resource
s?
project
.
team
.
member?
(
user
,
ProjectFeature
.
required_minimum_access_level
(
feature
))
end
...
...
app/models/user.rb
View file @
c674c9ea
...
...
@@ -1473,9 +1473,7 @@ class User < ApplicationRecord
self
.
admin
=
(
new_level
==
'admin'
)
end
# Does the user have access to all private groups & projects?
# Overridden in EE to also check auditor?
def
full_private_access?
def
can_read_all_resources?
can?
(
:read_all_resources
)
end
...
...
app/policies/base_policy.rb
View file @
c674c9ea
...
...
@@ -40,6 +40,7 @@ class BasePolicy < DeclarativePolicy::Base
prevent
:read_cross_project
end
# Policy extended in EE to also enable auditors
rule
{
admin
}.
enable
:read_all_resources
rule
{
default
}.
enable
:read_cross_project
...
...
changelogs/unreleased/chore-rename-user-full-private-access.yml
0 → 100644
View file @
c674c9ea
---
title
:
Rename User#full_private_access? to User#can_read_all_resources?
merge_request
:
21668
author
:
Diego Louzán
type
:
other
ee/app/services/ee/search/global_service.rb
View file @
c674c9ea
...
...
@@ -26,7 +26,7 @@ module EE
def
elastic_projects
strong_memoize
(
:elastic_projects
)
do
if
current_user
&
.
full_private_acces
s?
if
current_user
&
.
can_read_all_resource
s?
:any
elsif
current_user
current_user
.
authorized_projects
.
pluck
(
:id
)
# rubocop: disable CodeReuse/ActiveRecord
...
...
ee/lib/elastic/latest/application_class_proxy.rb
View file @
c674c9ea
...
...
@@ -181,7 +181,7 @@ module Elastic
def
pick_projects_by_visibility
(
visibility
,
user
,
features
)
condition
=
{
term:
{
visibility_level:
visibility
}
}
limit_by_feature
(
condition
,
features
,
include_members_only:
user
&
.
full_private_acces
s?
)
limit_by_feature
(
condition
,
features
,
include_members_only:
user
&
.
can_read_all_resource
s?
)
end
# If a project feature(s) is specified, access is dependent on its visibility
...
...
ee/lib/elastic/latest/issue_class_proxy.rb
View file @
c674c9ea
...
...
@@ -21,7 +21,7 @@ module Elastic
private
def
confidentiality_filter
(
query_hash
,
current_user
)
return
query_hash
if
current_user
&&
current_user
.
full_private_acces
s?
return
query_hash
if
current_user
&&
current_user
.
can_read_all_resource
s?
filter
=
if
current_user
...
...
ee/lib/elastic/latest/note_class_proxy.rb
View file @
c674c9ea
...
...
@@ -29,7 +29,7 @@ module Elastic
private
def
confidentiality_filter
(
query_hash
,
current_user
)
return
query_hash
if
current_user
&
.
full_private_acces
s?
return
query_hash
if
current_user
&
.
can_read_all_resource
s?
filter
=
{
bool:
{
...
...
ee/lib/elastic/latest/snippet_class_proxy.rb
View file @
c674c9ea
...
...
@@ -25,7 +25,7 @@ module Elastic
def
filter
(
query_hash
,
options
)
user
=
options
[
:current_user
]
return
query_hash
if
user
&
.
full_private_acces
s?
return
query_hash
if
user
&
.
can_read_all_resource
s?
filter_conditions
=
filter_personal_snippets
(
user
,
options
)
+
...
...
ee/spec/lib/gitlab/elastic/snippet_search_results_spec.rb
View file @
c674c9ea
...
...
@@ -52,7 +52,7 @@ describe Gitlab::Elastic::SnippetSearchResults, :elastic, :sidekiq_might_not_nee
end
end
context
'when user has
full_private_acces
s'
,
:do_not_mock_admin_mode
do
context
'when user has
read_all_resource
s'
,
:do_not_mock_admin_mode
do
include_context
'custom session'
let
(
:user
)
{
create
(
:admin
)
}
...
...
ee/spec/models/user_spec.rb
View file @
c674c9ea
...
...
@@ -228,11 +228,11 @@ describe User do
end
end
describe
'#
full_private_acces
s?'
do
describe
'#
can_read_all_resource
s?'
do
it
'returns true for auditor user'
do
user
=
build
(
:user
,
:auditor
)
expect
(
user
.
full_private_acces
s?
).
to
be_truthy
expect
(
user
.
can_read_all_resource
s?
).
to
be_truthy
end
end
...
...
lib/api/groups.rb
View file @
c674c9ea
...
...
@@ -31,7 +31,7 @@ module API
find_params
=
params
.
slice
(
:all_available
,
:custom_attributes
,
:owned
,
:min_access_level
)
find_params
[
:parent
]
=
find_group!
(
parent_id
)
if
parent_id
find_params
[
:all_available
]
=
find_params
.
fetch
(
:all_available
,
current_user
&
.
full_private_acces
s?
)
find_params
.
fetch
(
:all_available
,
current_user
&
.
can_read_all_resource
s?
)
groups
=
GroupsFinder
.
new
(
current_user
,
find_params
).
execute
groups
=
groups
.
search
(
params
[
:search
])
if
params
[
:search
].
present?
...
...
lib/api/helpers.rb
View file @
c674c9ea
...
...
@@ -213,9 +213,9 @@ module API
unauthorized!
unless
Devise
.
secure_compare
(
secret_token
,
input
)
end
def
authenticated_with_
full_private_acces
s!
def
authenticated_with_
can_read_all_resource
s!
authenticate!
forbidden!
unless
current_user
.
full_private_acces
s?
forbidden!
unless
current_user
.
can_read_all_resource
s?
end
def
authenticated_as_admin!
...
...
lib/api/helpers/project_snapshots_helpers.rb
View file @
c674c9ea
...
...
@@ -6,7 +6,7 @@ module API
prepend_if_ee
(
'::EE::API::Helpers::ProjectSnapshotsHelpers'
)
# rubocop: disable Cop/InjectEnterpriseEditionModule
def
authorize_read_git_snapshot!
authenticated_with_
full_private_acces
s!
authenticated_with_
can_read_all_resource
s!
end
def
send_git_snapshot
(
repository
)
...
...
lib/api/keys.rb
View file @
c674c9ea
...
...
@@ -24,7 +24,7 @@ module API
requires
:fingerprint
,
type:
String
,
desc:
'Search for a SSH fingerprint'
end
get
do
authenticated_with_
full_private_acces
s!
authenticated_with_
can_read_all_resource
s!
finder_params
=
params
.
merge
(
key_type:
'ssh'
)
...
...
lib/api/pages.rb
View file @
c674c9ea
...
...
@@ -4,7 +4,7 @@ module API
class
Pages
<
Grape
::
API
before
do
require_pages_config_enabled!
authenticated_with_
full_private_acces
s!
authenticated_with_
can_read_all_resource
s!
end
params
do
...
...
lib/api/pages_domains.rb
View file @
c674c9ea
...
...
@@ -37,7 +37,7 @@ module API
resource
:pages
do
before
do
require_pages_config_enabled!
authenticated_with_
full_private_acces
s!
authenticated_with_
can_read_all_resource
s!
end
desc
"Get all pages domains"
do
...
...
lib/gitlab/visibility_level.rb
View file @
c674c9ea
...
...
@@ -29,7 +29,7 @@ module Gitlab
def
levels_for_user
(
user
=
nil
)
return
[
PUBLIC
]
unless
user
if
user
.
full_private_acces
s?
if
user
.
can_read_all_resource
s?
[
PRIVATE
,
INTERNAL
,
PUBLIC
]
elsif
user
.
external?
[
PUBLIC
]
...
...
spec/models/user_spec.rb
View file @
c674c9ea
...
...
@@ -2894,11 +2894,11 @@ describe User, :do_not_mock_admin_mode do
end
end
describe
'#
full_private_acces
s?'
do
describe
'#
can_read_all_resource
s?'
do
it
'returns false for regular user'
do
user
=
build
(
:user
)
expect
(
user
.
full_private_acces
s?
).
to
be_falsy
expect
(
user
.
can_read_all_resource
s?
).
to
be_falsy
end
context
'for admin user'
do
...
...
@@ -2908,7 +2908,7 @@ describe User, :do_not_mock_admin_mode do
context
'when admin mode is disabled'
do
it
'returns false'
do
expect
(
user
.
full_private_acces
s?
).
to
be_falsy
expect
(
user
.
can_read_all_resource
s?
).
to
be_falsy
end
end
...
...
@@ -2919,7 +2919,7 @@ describe User, :do_not_mock_admin_mode do
end
it
'returns true'
do
expect
(
user
.
full_private_acces
s?
).
to
be_truthy
expect
(
user
.
can_read_all_resource
s?
).
to
be_truthy
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment