diff options
author | Zeger-Jan van de Weg <zegerjan@gitlab.com> | 2016-03-10 22:08:11 +0100 |
---|---|---|
committer | Zeger-Jan van de Weg <zegerjan@gitlab.com> | 2016-03-13 19:08:04 +0100 |
commit | 42fcd3881fcece5c9bd4b720460d6cade573b151 (patch) | |
tree | acabaaa610da27413ffdd7b5a0dd1610d3772a4c /app/models | |
parent | 065de4ab791373f7e6b8b5d3b73b5fe7c9e8e7c5 (diff) | |
download | gitlab-ce-42fcd3881fcece5c9bd4b720460d6cade573b151.tar.gz |
External Users
The user has the rights of a public user execpt it can never create a project,
group, or team. Also it cant view internal projects.
Diffstat (limited to 'app/models')
-rw-r--r-- | app/models/ability.rb | 34 | ||||
-rw-r--r-- | app/models/user.rb | 12 |
2 files changed, 29 insertions, 17 deletions
diff --git a/app/models/ability.rb b/app/models/ability.rb index fe9e0aab717..ccac08b7d3f 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -109,23 +109,10 @@ class Ability key = "/user/#{user.id}/project/#{project.id}" RequestStore.store[key] ||= begin - team = project.team + # Push abilities on the users team role + rules.push(*project_team_rules(project.team, user)) - # Rules based on role in project - if team.master?(user) - rules.push(*project_master_rules) - - elsif team.developer?(user) - rules.push(*project_dev_rules) - - elsif team.reporter?(user) - rules.push(*project_report_rules) - - elsif team.guest?(user) - rules.push(*project_guest_rules) - end - - if project.public? || project.internal? + if project.public? || (project.internal? && !user.external?) rules.push(*public_project_rules) # Allow to read builds for internal projects @@ -148,6 +135,19 @@ class Ability end end + def project_team_rules(team, user) + # Rules based on role in project + if team.master?(user) + project_master_rules + elsif team.developer?(user) + project_dev_rules + elsif team.reporter?(user) + project_report_rules + elsif team.guest?(user) + project_guest_rules + end + end + def public_project_rules @public_project_rules ||= project_guest_rules + [ :download_code, @@ -356,7 +356,7 @@ class Ability ] end - if snippet.public? || snippet.internal? + if snippet.public? || (snippet.internal? && !user.external?) rules << :read_personal_snippet end diff --git a/app/models/user.rb b/app/models/user.rb index 043bc825ade..adff238c60f 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -59,6 +59,7 @@ # hide_project_limit :boolean default(FALSE) # unlock_token :string # otp_grace_period_started_at :datetime +# external :boolean default(FALSE) # require 'carrierwave/orm/activerecord' @@ -77,6 +78,7 @@ class User < ActiveRecord::Base add_authentication_token_field :authentication_token default_value_for :admin, false + default_value_for :external, false default_value_for :can_create_group, gitlab_config.default_can_create_group default_value_for :can_create_team, false default_value_for :hide_no_ssh_key, false @@ -179,6 +181,7 @@ class User < ActiveRecord::Base after_update :update_emails_with_primary_email, if: ->(user) { user.email_changed? } before_save :ensure_authentication_token + before_save :ensure_external_user_rights after_save :ensure_namespace_correct after_initialize :set_projects_limit after_create :post_create_hook @@ -848,4 +851,13 @@ class User < ActiveRecord::Base def send_devise_notification(notification, *args) devise_mailer.send(notification, self, *args).deliver_later end + + def ensure_external_user_rights + return unless self.external? + + self.can_create_team = false + self.can_create_group = false + self.projects_limit = 0 + self.hide_project_limit = true + end end |