diff options
author | Kamil Trzcinski <ayufan@ayufan.eu> | 2016-02-01 23:58:04 +0100 |
---|---|---|
committer | Kamil Trzcinski <ayufan@ayufan.eu> | 2016-02-02 09:18:08 +0100 |
commit | 055afab5c7d33d061d339c270bd258ed847450f3 (patch) | |
tree | e72ba0bc495456f3f106d23576810cec4238af21 /app/models | |
parent | 7df149bb63c91792fb958db87b24bb120463a49e (diff) | |
download | gitlab-ce-055afab5c7d33d061d339c270bd258ed847450f3.tar.gz |
Make the CI permission model simpler
This MR simplifies CI permission model:
- read_build: allows to read a list of builds, artifacts and trace
- update_build: allows to cancel and retry builds
- create_build: allows to create builds from gitlab-ci.yml (not yet implemented)
- admin_build: allows to manage triggers, runners and variables
- read_commit_status: allows to read a list of commit statuses (including the overall of builds)
- create_commit_status: allows to create a new commit status using API
Remove all extra methods to manage permission.
Made all controllers to use explicitly the new permissions.
Diffstat (limited to 'app/models')
-rw-r--r-- | app/models/ability.rb | 34 |
1 files changed, 26 insertions, 8 deletions
diff --git a/app/models/ability.rb b/app/models/ability.rb index ab59a3506a2..e58e7a40273 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -52,10 +52,15 @@ class Ability :read_project_member, :read_merge_request, :read_note, + :read_commit_status, :read_build, :download_code ] + if project.restrict_builds? + rules -= :read_build + end + rules - project_disabled_features_rules(project) else [] @@ -113,6 +118,10 @@ class Ability if project.public? || project.internal? rules.push(*public_project_rules) + + if team.guest?(user) && project.restrict_builds? + rules -= named_abilities('build') + end end if project.owner == user || user.admin? @@ -134,7 +143,9 @@ class Ability def public_project_rules @public_project_rules ||= project_guest_rules + [ :download_code, - :fork_project + :fork_project, + :read_commit_status, + :read_build, ] end @@ -149,7 +160,7 @@ class Ability :read_project_member, :read_merge_request, :read_note, - :read_build, + :read_commit_status, :create_project, :create_issue, :create_note @@ -158,24 +169,25 @@ class Ability def project_report_rules @project_report_rules ||= project_guest_rules + [ - :create_commit_status, - :read_commit_statuses, - :read_build_artifacts, :download_code, :fork_project, :create_project_snippet, :update_issue, :admin_issue, - :admin_label + :admin_label, + :read_build, ] end def project_dev_rules @project_dev_rules ||= project_report_rules + [ :admin_merge_request, + :create_commit_status, + :update_commit_status, + :create_build, + :update_build, :create_merge_request, :create_wiki, - :manage_builds, :push_code ] end @@ -201,7 +213,9 @@ class Ability :admin_merge_request, :admin_note, :admin_wiki, - :admin_project + :admin_project, + :admin_commit_status, + :admin_build ] end @@ -240,6 +254,10 @@ class Ability rules += named_abilities('wiki') end + unless project.builds_enabled + rules += named_abilities('build') + end + rules end |