app/policies/identity_provider_policy.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

# frozen_string_literal: true

class IdentityProviderPolicy < BasePolicy
  desc "Provider is SAML or CAS3"
  condition(:protected_provider, scope: :subject, score: 0) { %w(saml cas3).include?(@subject.to_s) }

  rule { anonymous }.prevent_all

  rule { default }.policy do
    enable :unlink
    enable :link
  end

  rule { protected_provider }.prevent(:unlink)
end

IdentityProviderPolicy.prepend_if_ee('EE::IdentityProviderPolicy')