From 1f7328f8ee6a86b1c8e50b7451450e90d78b9424 Mon Sep 17 00:00:00 2001
From: James Edwards-Jones <jedwardsjones@gitlab.com>
Date: Fri, 23 Mar 2018 18:24:06 +0000
Subject: Branch unprotection restriction starting point

Explored Policy framework to create something I can use as a starting point.
---
 app/policies/protected_branch_policy.rb | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 app/policies/protected_branch_policy.rb

(limited to 'app/policies/protected_branch_policy.rb')

diff --git a/app/policies/protected_branch_policy.rb b/app/policies/protected_branch_policy.rb
new file mode 100644
index 00000000000..8d44cff1b42
--- /dev/null
+++ b/app/policies/protected_branch_policy.rb
@@ -0,0 +1,15 @@
+class ProtectedBranchPolicy < BasePolicy
+  delegate { @subject.project }
+
+  condition(:requires_admin_to_unprotect?, scope: :subject) do
+    @subject.name == 'master' && Gitlab::CurrentSettings.only_admins_can_unprotect_master_branch?
+  end
+
+  rule { can?(:admin_project) }.policy do
+    enable :update_protected_branch
+  end
+
+  rule { requires_admin_to_unprotect? & ~admin }.policy do
+    prevent :update_protected_branch
+  end
+end
-- 
cgit v1.2.1