From ccfa032ebc101339c1c0842d0fbeb5b555db9278 Mon Sep 17 00:00:00 2001
From: "http://jneen.net/" <jneen@jneen.net>
Date: Tue, 16 Aug 2016 16:28:47 -0700
Subject: port groups

---
 app/policies/group_policy.rb | 45 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 app/policies/group_policy.rb

(limited to 'app/policies/group_policy.rb')

diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
new file mode 100644
index 00000000000..97ff6233968
--- /dev/null
+++ b/app/policies/group_policy.rb
@@ -0,0 +1,45 @@
+class GroupPolicy < BasePolicy
+  def rules
+    can! :read_group if @subject.public?
+    return unless @user
+
+    globally_viewable = @subject.public? || (@subject.internal? && !@user.external?)
+    member = @subject.users.include?(@user)
+    owner = @user.admin? || @subject.has_owner?(@user)
+    master = owner || @subject.has_master?(@user)
+
+    can_read = false
+    can_read ||= globally_viewable
+    can_read ||= member
+    can_read ||= @user.admin?
+    can_read ||= GroupProjectsFinder.new(@subject).execute(@user).any?
+    can! :read_group if can_read
+
+    # Only group masters and group owners can create new projects
+    if master
+      can! :create_projects
+      can! :admin_milestones
+    end
+
+    # Only group owner and administrators can admin group
+    if owner
+      can! :admin_group
+      can! :admin_namespace
+      can! :admin_group_member
+      can! :change_visibility_level
+    end
+
+    if globally_viewable && @subject.request_access_enabled && !member
+      can! :request_access
+    end
+  end
+
+  def can_read_group?
+    return true if @subject.public?
+    return true if @user.admin?
+    return true if @subject.internal? && !@user.external?
+    return true if @subject.users.include?(@user)
+
+    GroupProjectsFinder.new(@subject).execute(@user).any?
+  end
+end
-- 
cgit v1.2.1