class ProjectPolicy < BasePolicy def self.create_read_update_admin(name) [ :"create_#{name}", :"read_#{name}", :"update_#{name}", :"admin_#{name}" ] end desc "User is a project owner" condition :owner do @user && project.owner == @user || (project.group && project.group.has_owner?(@user)) end desc "Project has public builds enabled" condition(:public_builds, scope: :subject) { project.public_builds? } # For guest access we use #is_team_member? so we can use # project.members, which gets cached in subject scope. # This is safe because team_access_level is guaranteed # by ProjectAuthorization's validation to be at minimum # GUEST desc "User has guest access" condition(:guest) { is_team_member? } desc "User has reporter access" condition(:reporter) { team_access_level >= Gitlab::Access::REPORTER } desc "User has developer access" condition(:developer) { team_access_level >= Gitlab::Access::DEVELOPER } desc "User has master access" condition(:master) { team_access_level >= Gitlab::Access::MASTER } desc "Project is public" condition(:public_project, scope: :subject) { project.public? } desc "Project is visible to internal users" condition(:internal_access) do project.internal? && !user.external? end desc "User is a member of the group" condition(:group_member, scope: :subject) { project_group_member? } desc "Project is archived" condition(:archived, scope: :subject) { project.archived? } condition(:default_issues_tracker, scope: :subject) { project.default_issues_tracker? } desc "Container registry is disabled" condition(:container_registry_disabled, scope: :subject) do !project.container_registry_enabled end desc "Project has an external wiki" condition(:has_external_wiki, scope: :subject) { project.has_external_wiki? } desc "Project has request access enabled" condition(:request_access_enabled, scope: :subject) { project.request_access_enabled } features = %w[ merge_requests issues repository snippets wiki builds ] features.each do |f| # these are scored high because they are unlikely desc "Project has #{f} disabled" condition(:"#{f}_disabled", score: 32) { !feature_available?(f.to_sym) } end rule { guest }.enable :guest_access rule { reporter }.enable :reporter_access rule { developer }.enable :developer_access rule { master }.enable :master_access rule { owner | admin }.policy do enable :guest_access enable :reporter_access enable :developer_access enable :master_access enable :change_namespace enable :change_visibility_level enable :rename_project enable :remove_project enable :archive_project enable :remove_fork_project enable :destroy_merge_request enable :destroy_issue enable :remove_pages end rule { owner | reporter }.policy do enable :build_download_code enable :build_read_container_image end rule { can?(:guest_access) }.policy do enable :read_project enable :read_board enable :read_list enable :read_wiki enable :read_issue enable :read_label enable :read_milestone enable :read_project_snippet enable :read_project_member enable :read_note enable :create_project enable :create_issue enable :create_note enable :upload_file enable :read_cycle_analytics enable :read_project_snippet end rule { can?(:reporter_access) }.policy do enable :download_code enable :download_wiki_code enable :fork_project enable :create_project_snippet enable :update_issue enable :admin_issue enable :admin_label enable :admin_list enable :read_commit_status enable :read_build enable :read_container_image enable :read_pipeline enable :read_pipeline_schedule enable :read_environment enable :read_deployment enable :read_merge_request end rule { (~anonymous & public_project) | internal_access }.policy do enable :public_user_access end rule { can?(:public_user_access) }.policy do enable :guest_access enable :request_access end rule { owner | admin | guest | group_member }.prevent :request_access rule { ~request_access_enabled }.prevent :request_access rule { can?(:developer_access) }.policy do enable :admin_merge_request enable :update_merge_request enable :create_commit_status enable :update_commit_status enable :create_build enable :update_build enable :create_pipeline enable :update_pipeline enable :create_pipeline_schedule enable :update_pipeline_schedule enable :create_merge_request enable :create_wiki enable :push_code enable :resolve_note enable :create_container_image enable :update_container_image enable :create_environment enable :create_deployment end rule { can?(:master_access) }.policy do enable :delete_protected_branch enable :update_project_snippet enable :update_environment enable :update_deployment enable :admin_milestone enable :admin_project_snippet enable :admin_project_member enable :admin_note enable :admin_wiki enable :admin_project enable :admin_commit_status enable :admin_build enable :admin_container_image enable :admin_pipeline enable :admin_pipeline_schedule enable :admin_environment enable :admin_deployment enable :admin_pages enable :read_pages enable :update_pages end rule { can?(:public_user_access) }.policy do enable :public_access enable :fork_project enable :build_download_code enable :build_read_container_image end rule { archived }.policy do prevent :create_merge_request prevent :push_code prevent :delete_protected_branch prevent :update_merge_request prevent :admin_merge_request end rule { merge_requests_disabled | repository_disabled }.policy do prevent(*create_read_update_admin(:merge_request)) end rule { issues_disabled & merge_requests_disabled }.policy do prevent(*create_read_update_admin(:label)) prevent(*create_read_update_admin(:milestone)) end rule { snippets_disabled }.policy do prevent(*create_read_update_admin(:project_snippet)) end rule { wiki_disabled & ~has_external_wiki }.policy do prevent(*create_read_update_admin(:wiki)) prevent(:download_wiki_code) end rule { builds_disabled | repository_disabled }.policy do prevent(*create_read_update_admin(:build)) prevent(*(create_read_update_admin(:pipeline) - [:read_pipeline])) prevent(*create_read_update_admin(:pipeline_schedule)) prevent(*create_read_update_admin(:environment)) prevent(*create_read_update_admin(:deployment)) end rule { repository_disabled }.policy do prevent :push_code prevent :push_code_to_protected_branches prevent :download_code prevent :fork_project prevent :read_commit_status end rule { container_registry_disabled }.policy do prevent(*create_read_update_admin(:container_image)) end rule { anonymous & ~public_project }.prevent_all rule { public_project }.enable(:public_access) rule { can?(:public_access) }.policy do enable :read_project enable :read_board enable :read_list enable :read_wiki enable :read_label enable :read_milestone enable :read_project_snippet enable :read_project_member enable :read_merge_request enable :read_note enable :read_pipeline enable :read_pipeline_schedule enable :read_commit_status enable :read_container_image enable :download_code enable :download_wiki_code enable :read_cycle_analytics # NOTE: may be overridden by IssuePolicy enable :read_issue end rule { public_builds }.policy do enable :read_build end rule { public_builds & can?(:guest_access) }.policy do enable :read_pipeline enable :read_pipeline_schedule end rule { issues_disabled }.policy do prevent :create_issue prevent :update_issue prevent :admin_issue end rule { issues_disabled & default_issues_tracker }.policy do prevent :read_issue end private def is_team_member? return false if @user.nil? greedy_load_subject = false # when scoping by subject, we want to be greedy # and load *all* the members with one query. greedy_load_subject ||= DeclarativePolicy.preferred_scope == :subject # in this case we're likely to have loaded #members already # anyways, and #member? would fail with an error greedy_load_subject ||= !@user.persisted? if greedy_load_subject project.team.members.include?(user) else # otherwise we just make a specific query for # this particular user. team_access_level >= Gitlab::Access::GUEST end end def project_group_member? return false if @user.nil? project.group && ( project.group.members_with_parents.exists?(user_id: @user.id) || project.group.requesters.exists?(user_id: @user.id) ) end def team_access_level return -1 if @user.nil? # NOTE: max_member_access has its own cache project.team.max_member_access(@user.id) end def feature_available?(feature) case project.project_feature.access_level(feature) when ProjectFeature::DISABLED false when ProjectFeature::PRIVATE guest? || admin? else true end end def project @subject end end