From 505dc808b3c0dc98413506446d368b91b56ff682 Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Mon, 8 Aug 2016 12:01:25 +0200 Subject: Use a permissions of user to access all dependent projects from CI jobs (this also includes a container images, and in future LFS files) --- app/policies/project_policy.rb | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) (limited to 'app/policies') diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index acf36d422d1..cda83bcc74a 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -64,6 +64,12 @@ class ProjectPolicy < BasePolicy can! :read_deployment end + # Permissions given when an user is direct member of a group + def restricted_reporter_access! + can! :restricted_download_code + can! :restricted_read_container_image + end + def developer_access! can! :admin_merge_request can! :update_merge_request @@ -130,10 +136,11 @@ class ProjectPolicy < BasePolicy def team_access!(user) access = project.team.max_member_access(user.id) - guest_access! if access >= Gitlab::Access::GUEST - reporter_access! if access >= Gitlab::Access::REPORTER - developer_access! if access >= Gitlab::Access::DEVELOPER - master_access! if access >= Gitlab::Access::MASTER + guest_access! if access >= Gitlab::Access::GUEST + reporter_access! if access >= Gitlab::Access::REPORTER + restricted_reporter_access! if access >= Gitlab::Access::REPORTER + developer_access! if access >= Gitlab::Access::DEVELOPER + master_access! if access >= Gitlab::Access::MASTER end def archived_access! -- cgit v1.2.1 From 6b381f3fdf00c7eeb971f365bde2a41f0cecf944 Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Thu, 15 Sep 2016 10:34:53 +0200 Subject: Use `build_read_container_image` and use `build_download_code` --- app/policies/project_policy.rb | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) (limited to 'app/policies') diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index cda83bcc74a..ce686af2ade 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -65,9 +65,9 @@ class ProjectPolicy < BasePolicy end # Permissions given when an user is direct member of a group - def restricted_reporter_access! - can! :restricted_download_code - can! :restricted_read_container_image + def team_member_reporter_access! + can! :build_download_code + can! :build_read_container_image end def developer_access! @@ -115,6 +115,8 @@ class ProjectPolicy < BasePolicy can! :read_commit_status can! :read_pipeline can! :read_container_image + can! :build_download_code + can! :build_read_container_image end def owner_access! @@ -136,11 +138,11 @@ class ProjectPolicy < BasePolicy def team_access!(user) access = project.team.max_member_access(user.id) - guest_access! if access >= Gitlab::Access::GUEST - reporter_access! if access >= Gitlab::Access::REPORTER - restricted_reporter_access! if access >= Gitlab::Access::REPORTER - developer_access! if access >= Gitlab::Access::DEVELOPER - master_access! if access >= Gitlab::Access::MASTER + guest_access! if access >= Gitlab::Access::GUEST + reporter_access! if access >= Gitlab::Access::REPORTER + team_member_reporter_access! if access >= Gitlab::Access::REPORTER + developer_access! if access >= Gitlab::Access::DEVELOPER + master_access! if access >= Gitlab::Access::MASTER end def archived_access! -- cgit v1.2.1 From 9d8afa222c678a2222f5219458759897089d7dad Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Fri, 16 Sep 2016 12:46:33 +0200 Subject: Improve code comments --- app/policies/project_policy.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/policies') diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index ce686af2ade..00c4c7b1440 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -64,7 +64,7 @@ class ProjectPolicy < BasePolicy can! :read_deployment end - # Permissions given when an user is direct member of a group + # Permissions given when an user is team member of a project def team_member_reporter_access! can! :build_download_code can! :build_read_container_image -- cgit v1.2.1