diff options
Diffstat (limited to 'app/policies/project_snippet_policy.rb')
| -rw-r--r-- | app/policies/project_snippet_policy.rb | 37 |
1 files changed, 17 insertions, 20 deletions
diff --git a/app/policies/project_snippet_policy.rb b/app/policies/project_snippet_policy.rb index a9094fbd958..a38d9154102 100644 --- a/app/policies/project_snippet_policy.rb +++ b/app/policies/project_snippet_policy.rb @@ -14,44 +14,41 @@ class ProjectSnippetPolicy < BasePolicy # We have to check both project feature visibility and a snippet visibility and take the stricter one # This will be simplified - check https://gitlab.com/gitlab-org/gitlab-foss/issues/27573 rule { ~can?(:read_project) }.policy do - prevent :read_project_snippet - prevent :update_project_snippet - prevent :admin_project_snippet + prevent :read_snippet + prevent :update_snippet + prevent :admin_snippet end - # we have to use this complicated prevent because the delegated project policy - # is overly greedy in allowing :read_project_snippet, since it doesn't have any - # information about the snippet. However, :read_project_snippet on the *project* - # is used to hide/show various snippet-related controls, so we can't just move - # all of the handling here. + # we have to use this complicated prevent because the delegated project + # policy is overly greedy in allowing :read_snippet, since it doesn't have + # any information about the snippet. However, :read_snippet on the *project* + # is used to hide/show various snippet-related controls, so we can't just + # move all of the handling here. rule do all?(private_snippet | (internal_snippet & external_user), ~project.guest, ~is_author, ~can?(:read_all_resources)) - end.prevent :read_project_snippet + end.prevent :read_snippet rule { internal_snippet & ~is_author & ~admin }.policy do - prevent :update_project_snippet - prevent :admin_project_snippet + prevent :update_snippet + prevent :admin_snippet end - rule { public_snippet }.enable :read_project_snippet + rule { public_snippet }.enable :read_snippet rule { is_author & ~project.reporter & ~admin }.policy do - prevent :admin_project_snippet + prevent :admin_snippet end rule { is_author | admin }.policy do - enable :read_project_snippet - enable :update_project_snippet - enable :admin_project_snippet + enable :read_snippet + enable :update_snippet + enable :admin_snippet end - rule { ~can?(:read_project_snippet) }.prevent :create_note - - # Aliasing the ability to ease GraphQL permissions check - rule { can?(:read_project_snippet) }.enable :read_snippet + rule { ~can?(:read_snippet) }.prevent :create_note end ProjectSnippetPolicy.prepend_if_ee('EE::ProjectSnippetPolicy') |