port runners, namespaces, group/project_members

4 files changed, 42 insertions, 58 deletions

diff --git a/app/models/ability.rb b/app/models/ability.rb
index 794fb1223e3..7c4210f0706 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -73,12 +73,8 @@ class Ability
 
     def abilities_by_subject_class(user:, subject:)
       case subject
-      when Namespace then namespace_abilities(user, subject)
-      when GroupMember then group_member_abilities(user, subject)
-      when ProjectMember then project_member_abilities(user, subject)
       when User then user_abilities
       when ExternalIssue, Deployment, Environment then project_abilities(user, subject.project)
-      when Ci::Runner then runner_abilities(user, subject)
       else []
       end + global_abilities(user)
     end
@@ -112,48 +108,6 @@ class Ability
       ProjectPolicy.abilities(user, project).to_a
     end
 
-    def can_read_group?(user, group)
-      return true if user.admin?
-      return true if group.public?
-      return true if group.internal? && !user.external?
-      return true if group.users.include?(user)
-
-      GroupProjectsFinder.new(group).execute(user).any?
-    end
-
-    def namespace_abilities(user, namespace)
-      rules = []
-
-      # Only namespace owner and administrators can admin it
-      if namespace.owner == user || user.admin?
-        rules += [
-          :create_projects,
-          :admin_namespace
-        ]
-      end
-
-      rules.flatten
-    end
-
-    def group_member_abilities(user, subject)
-      rules = []
-      target_user = subject.user
-      group = subject.group
-
-      unless group.last_owner?(target_user)
-        can_manage = allowed?(user, :admin_group_member, group)
-
-        if can_manage
-          rules << :update_group_member
-          rules << :destroy_group_member
-        elsif user == target_user
-          rules << :destroy_group_member
-        end
-      end
-
-      rules
-    end
-
     def project_member_abilities(user, subject)
       rules = []
       target_user = subject.user
@@ -182,18 +136,6 @@ class Ability
       rules
     end
 
-    def runner_abilities(user, runner)
-      if user.is_admin?
-        [:assign_runner]
-      elsif runner.is_shared? || runner.locked?
-        []
-      elsif user.ci_authorized_runners.include?(runner)
-        [:assign_runner]
-      else
-        []
-      end
-    end
-
     def user_abilities
       [:read_user]
     end
diff --git a/app/policies/ci/runner_policy.rb b/app/policies/ci/runner_policy.rb
new file mode 100644
index 00000000000..7edd383530d
--- /dev/null
+++ b/app/policies/ci/runner_policy.rb
@@ -0,0 +1,13 @@
+module Ci
+  class RunnerPolicy < BasePolicy
+    def rules
+      return unless @user
+
+      can! :assign_runner if @user.is_admin?
+
+      return if @subject.is_shared? || @subject.locked?
+
+      can! :assign_runner if @user.ci_authorized_runners.include?(@subject)
+    end
+  end
+end
diff --git a/app/policies/group_member_policy.rb b/app/policies/group_member_policy.rb
new file mode 100644
index 00000000000..62335527654
--- /dev/null
+++ b/app/policies/group_member_policy.rb
@@ -0,0 +1,19 @@
+class GroupMemberPolicy < BasePolicy
+  def rules
+    return unless @user
+
+    target_user = @subject.user
+    group = @subject.group
+
+    return if group.last_owner?(target_user)
+
+    can_manage = Ability.allowed?(@user, :admin_group_member, group)
+
+    if can_manage
+      can! :update_group_member
+      can! :destroy_group_member
+    elsif @user == target_user
+      can! :destroy_group_member
+    end
+  end
+end
diff --git a/app/policies/namespace_policy.rb b/app/policies/namespace_policy.rb
new file mode 100644
index 00000000000..29bb357e00a
--- /dev/null
+++ b/app/policies/namespace_policy.rb
@@ -0,0 +1,10 @@
+class NamespacePolicy < BasePolicy
+  def rules
+    return unless @user
+
+    if @subject.owner == @user || @user.admin?
+      can! :create_projects
+      can! :admin_namespace
+    end
+  end
+end