Add EE-only policy modifications to GroupPolicy and ProjectPolicy

dcbef45d · Robert Speicher · 60243c39 · dcbef45d · dcbef45d
Commit dcbef45d authored Sep 01, 2016 by Robert Speicher
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 0 deletions

app/policies/group_policy.rb app/policies/group_policy.rb +3 -0

app/policies/project_policy.rb app/policies/project_policy.rb +20 -0

No files found.
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -32,6 +32,9 @@ class GroupPolicy < BasePolicy
    if globally_viewable && @subject.request_access_enabled && !member
      can! :request_access
    end
+
+    # EE-only
+    cannot! :admin_group_member if @subject.ldap_synced?
  end

  def can_read_group?

--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -23,6 +23,9 @@ class ProjectPolicy < BasePolicy

    archived_access! if project.archived?

+    # EE-only
+    can! :change_repository_storage if user.admin?
+
    disabled_features!
  end

@@ -101,6 +104,12 @@ class ProjectPolicy < BasePolicy
    can! :admin_pipeline
    can! :admin_environment
    can! :admin_deployment
+
+    # EE-only
+    can! :admin_path_locks
+    can! :admin_pages
+    can! :read_pages
+    can! :update_pages
  end

  def public_access!
@@ -124,6 +133,9 @@ class ProjectPolicy < BasePolicy
    can! :remove_fork_project
    can! :destroy_merge_request
    can! :destroy_issue
+
+    # EE-only
+    can! :remove_pages
  end

  # Push abilities on the users team role
@@ -176,6 +188,14 @@ class ProjectPolicy < BasePolicy
    unless project.container_registry_enabled
      cannot!(*named_abilities(:container_image))
    end
+
+    # EE-only
+    if defined?(License) && License.block_changes?
+      cannot! :create_issue
+      cannot! :create_merge_request
+      cannot! :push_code
+      cannot! :push_code_to_protected_branches
+    end
  end

  def anonymous_rules