diff options
| author | Douwe Maan <douwe@gitlab.com> | 2017-02-07 04:10:13 +0000 |
|---|---|---|
| committer | Douwe Maan <douwe@gitlab.com> | 2017-02-07 04:10:13 +0000 |
| commit | 50f5960c72b4ff8b553bb0f7e8f649ac413f6ce0 (patch) | |
| tree | 3fce35b12e29a10b538ce030ad7d661d332ba3e0 /app/policies | |
| parent | 437b46b9a18b1eb26c0caecf0ff6863d8ad9faa7 (diff) | |
| parent | f5a798c7434bf236f36b399347c49fa3edf1f04e (diff) | |
| download | gitlab-ce-50f5960c72b4ff8b553bb0f7e8f649ac413f6ce0.tar.gz | |
Merge branch 'ee-1439-read-only-user' into 'master'
Backport changes from gitlab-org/gitlab-ee!998
See merge request !8984
Diffstat (limited to 'app/policies')
| -rw-r--r-- | app/policies/project_policy.rb | 47 | ||||
| -rw-r--r-- | app/policies/project_snippet_policy.rb | 2 |
2 files changed, 29 insertions, 20 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index f5fd50745aa..f8594e29547 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -218,25 +218,7 @@ class ProjectPolicy < BasePolicy def anonymous_rules return unless project.public? - can! :read_project - can! :read_board - can! :read_list - can! :read_wiki - can! :read_label - can! :read_milestone - can! :read_project_snippet - can! :read_project_member - can! :read_merge_request - can! :read_note - can! :read_pipeline - can! :read_commit_status - can! :read_container_image - can! :download_code - can! :download_wiki_code - can! :read_cycle_analytics - - # NOTE: may be overridden by IssuePolicy - can! :read_issue + base_readonly_access! # Allow to read builds by anonymous user if guests are allowed can! :read_build if project.public_builds? @@ -269,4 +251,31 @@ class ProjectPolicy < BasePolicy :"admin_#{name}" ] end + + private + + # A base set of abilities for read-only users, which + # is then augmented as necessary for anonymous and other + # read-only users. + def base_readonly_access! + can! :read_project + can! :read_board + can! :read_list + can! :read_wiki + can! :read_label + can! :read_milestone + can! :read_project_snippet + can! :read_project_member + can! :read_merge_request + can! :read_note + can! :read_pipeline + can! :read_commit_status + can! :read_container_image + can! :download_code + can! :download_wiki_code + can! :read_cycle_analytics + + # NOTE: may be overridden by IssuePolicy + can! :read_issue + end end diff --git a/app/policies/project_snippet_policy.rb b/app/policies/project_snippet_policy.rb index 57acccfafd9..3a96836917e 100644 --- a/app/policies/project_snippet_policy.rb +++ b/app/policies/project_snippet_policy.rb @@ -3,7 +3,7 @@ class ProjectSnippetPolicy < BasePolicy can! :read_project_snippet if @subject.public? return unless @user - if @user && @subject.author == @user || @user.admin? + if @user && (@subject.author == @user || @user.admin?) can! :read_project_snippet can! :update_project_snippet can! :admin_project_snippet |