diff options
| author | Robert Speicher <robert@gitlab.com> | 2016-08-31 20:53:40 +0000 |
|---|---|---|
| committer | Robert Speicher <robert@gitlab.com> | 2016-08-31 20:53:40 +0000 |
| commit | e71cd7a300017cf85e16de3b1c68fdb25c3a4b4d (patch) | |
| tree | d38382dae7c95938510bae75080c3816df7544a0 /lib | |
| parent | 177cc4e4cbde21e8b56a9f3e0104d6319d79e6cc (diff) | |
| parent | b105dc791df07bab0d5349c63cb73c7b3ee8212c (diff) | |
| download | gitlab-ce-e71cd7a300017cf85e16de3b1c68fdb25c3a4b4d.tar.gz | |
Merge branch 'refactor/add-policies' into 'master'
Refactor ability.rb into Policies
## What does this MR do?
Factors out `ability.rb` into a new abstraction - the "policy" (stored in `app/policies`). A policy is a class named `#{class_name}Policy` (looked up automatically as needed) that implements `rules` as follows:
``` ruby
class ThingPolicy < BasePolicy
def rules
@user # this is a user to determine abilities for, optionally nil in the anonymous case
@subject # this is the subject of the ability, guaranteed to be an instance of `Thing`
can! :some_ability # grant the :some_ability permission
cannot! :some_ability # ensure that :some_ability is not allowed. this overrides any `can!` that is called before or after
delegate! @subject.other_thing # merge the abilities (can!) and prohibitions (cannot!) from `@subject.other_thing`
can? :some_ability # test whether, so far, :some_ability is allowed
end
def anonymous_rules
# optional. if not implemented `rules` is called where `@user` is nil. otherwise this method is called when `@user` is nil.
end
end
```
See merge request !5796
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/api/groups.rb | 2 | ||||
| -rw-r--r-- | lib/api/helpers.rb | 12 | ||||
| -rw-r--r-- | lib/banzai/reference_parser/base_parser.rb | 2 |
3 files changed, 4 insertions, 12 deletions
diff --git a/lib/api/groups.rb b/lib/api/groups.rb index 9d8b8d737a9..f981ec0dbfe 100644 --- a/lib/api/groups.rb +++ b/lib/api/groups.rb @@ -30,7 +30,7 @@ module API # Example Request: # POST /groups post do - authorize! :create_group, current_user + authorize! :create_group required_attributes! [:name, :path] attrs = attributes_for_keys [:name, :path, :description, :visibility_level] diff --git a/lib/api/helpers.rb b/lib/api/helpers.rb index da4b1bf9902..6a20ba95a79 100644 --- a/lib/api/helpers.rb +++ b/lib/api/helpers.rb @@ -129,7 +129,7 @@ module API forbidden! unless current_user.is_admin? end - def authorize!(action, subject) + def authorize!(action, subject = nil) forbidden! unless can?(current_user, action, subject) end @@ -148,7 +148,7 @@ module API end def can?(object, action, subject) - abilities.allowed?(object, action, subject) + Ability.allowed?(object, action, subject) end # Checks the occurrences of required attributes, each attribute must be present in the params hash @@ -408,14 +408,6 @@ module API links.join(', ') end - def abilities - @abilities ||= begin - abilities = Six.new - abilities << Ability - abilities - end - end - def secret_token File.read(Gitlab.config.gitlab_shell.secret_file).chomp end diff --git a/lib/banzai/reference_parser/base_parser.rb b/lib/banzai/reference_parser/base_parser.rb index 6cf218aaa0d..e8e03e4a98f 100644 --- a/lib/banzai/reference_parser/base_parser.rb +++ b/lib/banzai/reference_parser/base_parser.rb @@ -211,7 +211,7 @@ module Banzai end def can?(user, permission, subject) - Ability.abilities.allowed?(user, permission, subject) + Ability.allowed?(user, permission, subject) end def find_projects_for_hash_keys(hash) |