From 16fe6dc7b159a0e6b68a586065de1f95d6acecfa Mon Sep 17 00:00:00 2001 From: "http://jneen.net/" Date: Tue, 16 Aug 2016 12:05:44 -0700 Subject: port CommitStatus/Build --- app/policies/base_policy.rb | 4 ++++ app/policies/ci/build_policy.rb | 13 +++++++++++++ app/policies/commit_status_policy.rb | 5 +++++ 3 files changed, 22 insertions(+) create mode 100644 app/policies/ci/build_policy.rb create mode 100644 app/policies/commit_status_policy.rb (limited to 'app/policies') diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb index fd5d05a1bd1..e1757d97e89 100644 --- a/app/policies/base_policy.rb +++ b/app/policies/base_policy.rb @@ -30,6 +30,10 @@ class BasePolicy @can.merge(BasePolicy.class_for(new_subject).abilities(@user, new_subject)) end + def can?(rule) + @can.include?(rule) && !@cannot.include?(rule) + end + def can!(*rules) @can.merge(rules) end diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb new file mode 100644 index 00000000000..2232e231cf8 --- /dev/null +++ b/app/policies/ci/build_policy.rb @@ -0,0 +1,13 @@ +module Ci + class BuildPolicy < CommitStatusPolicy + def rules + super + + # If we can't read build we should also not have that + # ability when looking at this in context of commit_status + %w(read create update admin).each do |rule| + cannot! :"#{rule}_commit_status" unless can? :"#{rule}_build" + end + end + end +end diff --git a/app/policies/commit_status_policy.rb b/app/policies/commit_status_policy.rb new file mode 100644 index 00000000000..593df738328 --- /dev/null +++ b/app/policies/commit_status_policy.rb @@ -0,0 +1,5 @@ +class CommitStatusPolicy < BasePolicy + def rules + delegate! @subject.project + end +end -- cgit v1.2.1