diff options
| author | Nick Thomas <nick@gitlab.com> | 2019-01-09 01:52:48 +0000 |
|---|---|---|
| committer | Nick Thomas <nick@gitlab.com> | 2019-01-09 01:52:48 +0000 |
| commit | b05c06a909caad710f0203b81642916cc45cfc1f (patch) | |
| tree | 225c8e37bcf911611af2a49a03224329ed36f318 | |
| parent | 27c32f9fa84d7d9876adc648ae443b75a403f4a6 (diff) | |
| parent | 4c7b7a842a0c523883929c3b403bc4c806d1e93f (diff) | |
| download | gitlab-ce-b05c06a909caad710f0203b81642916cc45cfc1f.tar.gz | |
Merge branch 'ce-extract-specific-code-from-project_snippet_policy' into 'master'
Make ProjectSnippetPolicy EE-ready
See merge request gitlab-org/gitlab-ce!23908
| -rw-r--r-- | app/policies/base_policy.rb | 4 | ||||
| -rw-r--r-- | app/policies/project_snippet_policy.rb | 11 |
2 files changed, 9 insertions, 6 deletions
diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb index 0d0f1c28bad..72de04203a6 100644 --- a/app/policies/base_policy.rb +++ b/app/policies/base_policy.rb @@ -7,6 +7,10 @@ class BasePolicy < DeclarativePolicy::Base with_options scope: :user, score: 0 condition(:admin) { @user&.admin? } + desc "User has access to all private groups & projects" + with_options scope: :user, score: 0 + condition(:full_private_access) { @user&.full_private_access? } + with_options scope: :user, score: 0 condition(:external_user) { @user.nil? || @user.external? } diff --git a/app/policies/project_snippet_policy.rb b/app/policies/project_snippet_policy.rb index 288bf070cfc..7dafa33bb99 100644 --- a/app/policies/project_snippet_policy.rb +++ b/app/policies/project_snippet_policy.rb @@ -5,13 +5,12 @@ class ProjectSnippetPolicy < BasePolicy desc "Snippet is public" condition(:public_snippet, scope: :subject) { @subject.public? } + condition(:internal_snippet, scope: :subject) { @subject.internal? } condition(:private_snippet, scope: :subject) { @subject.private? } condition(:public_project, scope: :subject) { @subject.project.public? } condition(:is_author) { @user && @subject.author == @user } - condition(:internal, scope: :subject) { @subject.internal? } - # We have to check both project feature visibility and a snippet visibility and take the stricter one # This will be simplified - check https://gitlab.com/gitlab-org/gitlab-ce/issues/27573 rule { ~can?(:read_project) }.policy do @@ -26,13 +25,13 @@ class ProjectSnippetPolicy < BasePolicy # is used to hide/show various snippet-related controls, so we can't just move # all of the handling here. rule do - all?(private_snippet | (internal & external_user), + all?(private_snippet | (internal_snippet & external_user), ~project.guest, - ~admin, - ~is_author) + ~is_author, + ~full_private_access) end.prevent :read_project_snippet - rule { internal & ~is_author & ~admin }.policy do + rule { internal_snippet & ~is_author & ~admin }.policy do prevent :update_project_snippet prevent :admin_project_snippet end |