lib/gitlab/visibility_level_checker.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

# frozen_string_literal: true

# Gitlab::VisibilityLevelChecker verifies that:
#   - Current @project.visibility_level is not restricted
#   - Override visibility param is not restricted
#     - @see https://docs.gitlab.com/ee/api/project_import_export.html#import-a-file
#
# @param current_user [User] Current user object to verify visibility level against
# @param project [Project] Current project that is being created/imported
# @param project_params [Hash] Supplementary project params (e.g. import
# params containing visibility override)
#
# @example
#   user = User.find(2)
#   project = Project.last
#   project_params = {:import_data=>{:data=>{:override_params=>{"visibility"=>"public"}}}}
#   level_checker = Gitlab::VisibilityLevelChecker.new(user, project, project_params: project_params)
#
#   project_visibility = level_checker.level_restricted?
#   => #<Gitlab::VisibilityEvaluationResult:0x00007fbe16ee33c0 @restricted=true, @visibility_level=20>
#
#   if project_visibility.restricted?
#     deny_visibility_level(project, project_visibility.visibility_level)
#   end
#
# @return [VisibilityEvaluationResult] Visibility evaluation result. Responds to:
# #restricted - boolean indicating if level is restricted
# #visibility_level - integer of restricted visibility level
#
module Gitlab
  class VisibilityLevelChecker
    def initialize(current_user, project, project_params: {})
      @current_user   = current_user
      @project        = project
      @project_params = project_params
    end

    def level_restricted?
      return VisibilityEvaluationResult.new(true, override_visibility_level_value) if override_visibility_restricted?
      return VisibilityEvaluationResult.new(true, project.visibility_level) if project_visibility_restricted?

      VisibilityEvaluationResult.new(false, nil)
    end

    private

    attr_reader :current_user, :project, :project_params

    def override_visibility_restricted?
      return unless import_data
      return unless override_visibility_level
      return if Gitlab::VisibilityLevel.allowed_for?(current_user, override_visibility_level_value)

      true
    end

    def project_visibility_restricted?
      return if Gitlab::VisibilityLevel.allowed_for?(current_user, project.visibility_level)

      true
    end

    def import_data
      @import_data ||= project_params[:import_data]
    end

    def override_visibility_level
      @override_visibility_level ||= import_data.deep_symbolize_keys.dig(:data, :override_params, :visibility)
    end

    def override_visibility_level_value
      @override_visibility_level_value ||= Gitlab::VisibilityLevel.level_value(override_visibility_level)
    end
  end

  class VisibilityEvaluationResult
    attr_reader :visibility_level

    def initialize(restricted, visibility_level)
      @restricted = restricted
      @visibility_level = visibility_level
    end

    def restricted?
      @restricted
    end
  end
end