class DeployKeyPolicy < BasePolicy with_options scope: :subject, score: 0 condition(:private_deploy_key) { @subject.private? } condition(:has_deploy_key) { @user.project_deploy_keys.exists?(id: @subject.id) } rule { anonymous }.prevent_all rule { admin }.enable :update_deploy_key rule { private_deploy_key & has_deploy_key }.enable :update_deploy_key end