summaryrefslogtreecommitdiff
path: root/app/models/ability.rb
diff options
context:
space:
mode:
Diffstat (limited to 'app/models/ability.rb')
-rw-r--r--app/models/ability.rb276
1 files changed, 0 insertions, 276 deletions
diff --git a/app/models/ability.rb b/app/models/ability.rb
deleted file mode 100644
index 85a15596f8d..00000000000
--- a/app/models/ability.rb
+++ /dev/null
@@ -1,276 +0,0 @@
-class Ability
- class << self
- def allowed(user, subject)
- return not_auth_abilities(user, subject) if user.nil?
- return [] unless user.kind_of?(User)
- return [] if user.blocked?
-
- case subject.class.name
- when "Project" then project_abilities(user, subject)
- when "Issue" then issue_abilities(user, subject)
- when "Note" then note_abilities(user, subject)
- when "ProjectSnippet" then project_snippet_abilities(user, subject)
- when "PersonalSnippet" then personal_snippet_abilities(user, subject)
- when "MergeRequest" then merge_request_abilities(user, subject)
- when "Group" then group_abilities(user, subject)
- when "Namespace" then namespace_abilities(user, subject)
- when "GroupMember" then group_member_abilities(user, subject)
- else []
- end.concat(global_abilities(user))
- end
-
- # List of possible abilities
- # for non-authenticated user
- def not_auth_abilities(user, subject)
- project = if subject.kind_of?(Project)
- subject
- elsif subject.respond_to?(:project)
- subject.project
- else
- nil
- end
-
- if project && project.public?
- [
- :read_project,
- :read_wiki,
- :read_issue,
- :read_milestone,
- :read_project_snippet,
- :read_project_member,
- :read_merge_request,
- :read_note,
- :download_code
- ]
- else
- group = if subject.kind_of?(Group)
- subject
- elsif subject.respond_to?(:group)
- subject.group
- else
- nil
- end
-
- if group && group.public_profile?
- [:read_group]
- else
- []
- end
- end
- end
-
- def global_abilities(user)
- rules = []
- rules << :create_group if user.can_create_group
- rules
- end
-
- def project_abilities(user, project)
- rules = []
- key = "/user/#{user.id}/project/#{project.id}"
- RequestStore.store[key] ||= begin
- team = project.team
-
- # Rules based on role in project
- if team.master?(user)
- rules.push(*project_master_rules)
-
- elsif team.developer?(user)
- rules.push(*project_dev_rules)
-
- elsif team.reporter?(user)
- rules.push(*project_report_rules)
-
- elsif team.guest?(user)
- rules.push(*project_guest_rules)
- end
-
- if project.public? || project.internal?
- rules.push(*public_project_rules)
- end
-
- if project.owner == user || user.admin?
- rules.push(*project_admin_rules)
- end
-
- if project.group && project.group.has_owner?(user)
- rules.push(*project_admin_rules)
- end
-
- if project.archived?
- rules -= project_archived_rules
- end
-
- rules
- end
- end
-
- def public_project_rules
- project_guest_rules + [
- :download_code,
- :fork_project
- ]
- end
-
- def project_guest_rules
- [
- :read_project,
- :read_wiki,
- :read_issue,
- :read_milestone,
- :read_project_snippet,
- :read_project_member,
- :read_merge_request,
- :read_note,
- :write_project,
- :write_issue,
- :write_note
- ]
- end
-
- def project_report_rules
- project_guest_rules + [
- :download_code,
- :fork_project,
- :write_project_snippet
- ]
- end
-
- def project_dev_rules
- project_report_rules + [
- :write_merge_request,
- :write_wiki,
- :modify_issue,
- :admin_issue,
- :admin_label,
- :push_code
- ]
- end
-
- def project_archived_rules
- [
- :write_merge_request,
- :push_code,
- :push_code_to_protected_branches,
- :modify_merge_request,
- :admin_merge_request
- ]
- end
-
- def project_master_rules
- project_dev_rules + [
- :push_code_to_protected_branches,
- :modify_issue,
- :modify_project_snippet,
- :modify_merge_request,
- :admin_issue,
- :admin_milestone,
- :admin_project_snippet,
- :admin_project_member,
- :admin_merge_request,
- :admin_note,
- :admin_wiki,
- :admin_project
- ]
- end
-
- def project_admin_rules
- project_master_rules + [
- :change_namespace,
- :change_visibility_level,
- :rename_project,
- :remove_project,
- :archive_project
- ]
- end
-
- def group_abilities(user, group)
- rules = []
-
- if user.admin? || group.users.include?(user) || ProjectsFinder.new.execute(user, group: group).any?
- rules << :read_group
- end
-
- # Only group masters and group owners can create new projects in group
- if group.has_master?(user) || group.has_owner?(user) || user.admin?
- rules.push(*[
- :create_projects,
- ])
- end
-
- # Only group owner and administrators can admin group
- if group.has_owner?(user) || user.admin?
- rules.push(*[
- :admin_group,
- :admin_namespace
- ])
- end
-
- rules.flatten
- end
-
- def namespace_abilities(user, namespace)
- rules = []
-
- # Only namespace owner and administrators can admin it
- if namespace.owner == user || user.admin?
- rules.push(*[
- :create_projects,
- :admin_namespace
- ])
- end
-
- rules.flatten
- end
-
- [:issue, :note, :project_snippet, :personal_snippet, :merge_request].each do |name|
- define_method "#{name}_abilities" do |user, subject|
- if subject.author == user || user.is_admin?
- rules = [
- :"read_#{name}",
- :"write_#{name}",
- :"modify_#{name}",
- :"admin_#{name}"
- ]
- rules.push(:change_visibility_level) if subject.is_a?(Snippet)
- rules
- elsif subject.respond_to?(:assignee) && subject.assignee == user
- [
- :"read_#{name}",
- :"write_#{name}",
- :"modify_#{name}",
- ]
- else
- if subject.respond_to?(:project)
- project_abilities(user, subject.project)
- else
- []
- end
- end
- end
- end
-
- def group_member_abilities(user, subject)
- rules = []
- target_user = subject.user
- group = subject.group
- can_manage = group_abilities(user, group).include?(:admin_group)
- if can_manage && (user != target_user)
- rules << :modify_group_member
- rules << :destroy_group_member
- end
- if !group.last_owner?(user) && (can_manage || (user == target_user))
- rules << :destroy_group_member
- end
- rules
- end
-
- def abilities
- @abilities ||= begin
- abilities = Six.new
- abilities << self
- abilities
- end
- end
- end
-end
View Lorry Controller Status