app/policies/ci/job_artifact_policy.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

# frozen_string_literal: true

module Ci
  class JobArtifactPolicy < BasePolicy
    delegate { @subject.job.project }

    condition(:public_access, scope: :subject) do
      @subject.public_access?
    end

    condition(:can_read_project_build, scope: :subject) do
      can?(:read_build, @subject.job.project)
    end

    condition(:has_access_to_project) do
      can?(:developer_access, @subject.job.project)
    end

    rule { can_read_project_build }.enable :read_job_artifacts
    rule { ~public_access & ~has_access_to_project }.prevent :read_job_artifacts
  end
end