diff options
| author | Sean McGivern <sean@gitlab.com> | 2017-06-02 15:13:10 +0100 |
|---|---|---|
| committer | Sean McGivern <sean@gitlab.com> | 2017-06-05 11:58:53 +0100 |
| commit | 5db229fb45c98424425bf14c6b9e4ede8ccef1d1 (patch) | |
| tree | bbc9c55d2647ab60fe9052988347115b8148bf1c /app/policies | |
| parent | 6e82de218aa63da6721a0340092dfaff6600b919 (diff) | |
| download | gitlab-ce-5db229fb45c98424425bf14c6b9e4ede8ccef1d1.tar.gz | |
Allow group reporters to manage group labels33154-permissions-for-project-labels-and-group-labels
Previously, only group masters could do this. However, project reporters can
manage project labels, so there doesn't seem to be any need to restrict group
labels further.
Also, save a query or two by getting a single GroupMember object to find out if
the user is a master or not.
Diffstat (limited to 'app/policies')
| -rw-r--r-- | app/policies/group_policy.rb | 17 |
1 files changed, 10 insertions, 7 deletions
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 87398303c68..fb07298c6c2 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -4,22 +4,25 @@ class GroupPolicy < BasePolicy return unless @user globally_viewable = @subject.public? || (@subject.internal? && !@user.external?) - member = @subject.users_with_parents.include?(@user) - owner = @user.admin? || @subject.has_owner?(@user) - master = owner || @subject.has_master?(@user) + access_level = @subject.max_member_access_for_user(@user) + owner = access_level >= GroupMember::OWNER + master = access_level >= GroupMember::MASTER + reporter = access_level >= GroupMember::REPORTER can_read = false can_read ||= globally_viewable - can_read ||= member - can_read ||= @user.admin? + can_read ||= access_level >= GroupMember::GUEST can_read ||= GroupProjectsFinder.new(group: @subject, current_user: @user).execute.any? can! :read_group if can_read + if reporter + can! :admin_label + end + # Only group masters and group owners can create new projects if master can! :create_projects can! :admin_milestones - can! :admin_label end # Only group owner and administrators can admin group @@ -31,7 +34,7 @@ class GroupPolicy < BasePolicy can! :create_subgroup if @user.can_create_group end - if globally_viewable && @subject.request_access_enabled && !member + if globally_viewable && @subject.request_access_enabled && access_level == GroupMember::NO_ACCESS can! :request_access end end |