diff options
| author | Rémy Coutable <remy@rymai.me> | 2018-12-18 17:18:09 +0100 |
|---|---|---|
| committer | Rémy Coutable <remy@rymai.me> | 2019-01-07 18:45:54 +0100 |
| commit | 4c7b7a842a0c523883929c3b403bc4c806d1e93f (patch) | |
| tree | 32e4cc6bad967ebf7f6e611713c684e68026e409 | |
| parent | 549ee8ada3b59278871a89720632584bc5cc11df (diff) | |
| download | gitlab-ce-ce-extract-specific-code-from-project_snippet_policy.tar.gz | |
Make ProjectSnippetPolicy EE-readyce-extract-specific-code-from-project_snippet_policy
Signed-off-by: Rémy Coutable <remy@rymai.me>
| -rw-r--r-- | app/policies/base_policy.rb | 4 | ||||
| -rw-r--r-- | app/policies/project_snippet_policy.rb | 11 |
2 files changed, 9 insertions, 6 deletions
diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb index 0d0f1c28bad..72de04203a6 100644 --- a/app/policies/base_policy.rb +++ b/app/policies/base_policy.rb @@ -7,6 +7,10 @@ class BasePolicy < DeclarativePolicy::Base with_options scope: :user, score: 0 condition(:admin) { @user&.admin? } + desc "User has access to all private groups & projects" + with_options scope: :user, score: 0 + condition(:full_private_access) { @user&.full_private_access? } + with_options scope: :user, score: 0 condition(:external_user) { @user.nil? || @user.external? } diff --git a/app/policies/project_snippet_policy.rb b/app/policies/project_snippet_policy.rb index 288bf070cfc..7dafa33bb99 100644 --- a/app/policies/project_snippet_policy.rb +++ b/app/policies/project_snippet_policy.rb @@ -5,13 +5,12 @@ class ProjectSnippetPolicy < BasePolicy desc "Snippet is public" condition(:public_snippet, scope: :subject) { @subject.public? } + condition(:internal_snippet, scope: :subject) { @subject.internal? } condition(:private_snippet, scope: :subject) { @subject.private? } condition(:public_project, scope: :subject) { @subject.project.public? } condition(:is_author) { @user && @subject.author == @user } - condition(:internal, scope: :subject) { @subject.internal? } - # We have to check both project feature visibility and a snippet visibility and take the stricter one # This will be simplified - check https://gitlab.com/gitlab-org/gitlab-ce/issues/27573 rule { ~can?(:read_project) }.policy do @@ -26,13 +25,13 @@ class ProjectSnippetPolicy < BasePolicy # is used to hide/show various snippet-related controls, so we can't just move # all of the handling here. rule do - all?(private_snippet | (internal & external_user), + all?(private_snippet | (internal_snippet & external_user), ~project.guest, - ~admin, - ~is_author) + ~is_author, + ~full_private_access) end.prevent :read_project_snippet - rule { internal & ~is_author & ~admin }.policy do + rule { internal_snippet & ~is_author & ~admin }.policy do prevent :update_project_snippet prevent :admin_project_snippet end |