Class: Ability

Inherits:

Object

• Object
• Ability

Defined in:

app/models/ability.rb

Class Method Summary

• .abilities ⇒ Object
• .allowed(user, subject) ⇒ Object
• .anonymous_abilities(user, subject) ⇒ Object

  List of possible abilities for anonymous user.

• .anonymous_commit_status_abilities(subject) ⇒ Object
• .anonymous_group_abilities(subject) ⇒ Object
• .anonymous_personal_snippet_abilities(snippet) ⇒ Object
• .anonymous_project_abilities(subject) ⇒ Object
• .anonymous_project_snippet_abilities(snippet) ⇒ Object
• .anonymous_user_abilities ⇒ Object
• .can_read_group?(user, group) ⇒ Boolean
• .commit_status_abilities(user, subject) ⇒ Object
• .external_issue_abilities(user, subject) ⇒ Object
• .filter_build_abilities(rules) ⇒ Object
• .global_abilities(user) ⇒ Object
• .group_abilities(user, group) ⇒ Object
• .group_member_abilities(user, subject) ⇒ Object
• .namespace_abilities(user, namespace) ⇒ Object
• .note_abilities(user, note) ⇒ Object
• .personal_snippet_abilities(user, snippet) ⇒ Object
• .project_abilities(user, project) ⇒ Object
• .project_archived_rules ⇒ Object
• .project_dev_rules ⇒ Object
• .project_disabled_features_rules(project) ⇒ Object
• .project_guest_rules ⇒ Object
• .project_master_rules ⇒ Object
• .project_member_abilities(user, subject) ⇒ Object
• .project_owner_rules ⇒ Object
• .project_report_rules ⇒ Object
• .project_snippet_abilities(user, snippet) ⇒ Object
• .project_team_rules(team, user) ⇒ Object
• .public_project_rules ⇒ Object
• .user_abilities ⇒ Object

Class Method Details

.abilities ⇒ Object

# File 'app/models/ability.rb', line 470

def abilities
  @abilities ||= begin
    abilities = Six.new
    abilities << self
    abilities
  end
end

.allowed(user, subject) ⇒ Object

# File 'app/models/ability.rb', line 3

def allowed(user, subject)
  return anonymous_abilities(user, subject) if user.nil?
  return [] unless user.is_a?(User)
  return [] if user.blocked?

  case subject
  when CommitStatus then commit_status_abilities(user, subject)
  when Project then project_abilities(user, subject)
  when Issue then issue_abilities(user, subject)
  when ExternalIssue then external_issue_abilities(user, subject)
  when Note then note_abilities(user, subject)
  when ProjectSnippet then project_snippet_abilities(user, subject)
  when PersonalSnippet then personal_snippet_abilities(user, subject)
  when MergeRequest then merge_request_abilities(user, subject)
  when Group then group_abilities(user, subject)
  when Namespace then namespace_abilities(user, subject)
  when GroupMember then group_member_abilities(user, subject)
  when ProjectMember then project_member_abilities(user, subject)
  when User then user_abilities
  else []
  end.concat(global_abilities(user))
end

.anonymous_abilities(user, subject) ⇒ Object

List of possible abilities for anonymous user

# File 'app/models/ability.rb', line 27

def anonymous_abilities(user, subject)
  case true
  when subject.is_a?(PersonalSnippet)
    anonymous_personal_snippet_abilities(subject)
  when subject.is_a?(ProjectSnippet)
    anonymous_project_snippet_abilities(subject)
  when subject.is_a?(CommitStatus)
    anonymous_commit_status_abilities(subject)
  when subject.is_a?(Project) || subject.respond_to?(:project)
    anonymous_project_abilities(subject)
  when subject.is_a?(Group) || subject.respond_to?(:group)
    anonymous_group_abilities(subject)
  when subject.is_a?(User)
    anonymous_user_abilities
  else
    []
  end
end

.anonymous_commit_status_abilities(subject) ⇒ Object

# File 'app/models/ability.rb', line 79

def anonymous_commit_status_abilities(subject)
  rules = anonymous_project_abilities(subject.project)
  # If subject is Ci::Build which inherits from CommitStatus filter the abilities
  rules = filter_build_abilities(rules) if subject.is_a?(Ci::Build)
  rules
end

.anonymous_group_abilities(subject) ⇒ Object

# File 'app/models/ability.rb', line 86

def anonymous_group_abilities(subject)
  rules = []

  group = if subject.is_a?(Group)
            subject
          else
            subject.group
          end

  rules << :read_group if group.public?

  rules
end

.anonymous_personal_snippet_abilities(snippet) ⇒ Object

# File 'app/models/ability.rb', line 100

def anonymous_personal_snippet_abilities(snippet)
  if snippet.public?
    [:read_personal_snippet]
  else
    []
  end
end

.anonymous_project_abilities(subject) ⇒ Object

# File 'app/models/ability.rb', line 46

def anonymous_project_abilities(subject)
  project = if subject.is_a?(Project)
              subject
            else
              subject.project
            end

  if project && project.public?
    rules = [
      :read_project,
      :read_wiki,
      :read_label,
      :read_milestone,
      :read_project_snippet,
      :read_project_member,
      :read_merge_request,
      :read_note,
      :read_commit_status,
      :download_code
    ]

    # Allow to read builds by anonymous user if guests are allowed
    rules << :read_build if project.public_builds?

    # Allow to read issues by anonymous user if issue is not confidential
    rules << :read_issue unless subject.is_a?(Issue) && subject.confidential?

    rules - project_disabled_features_rules(project)
  else
    []
  end
end

.anonymous_project_snippet_abilities(snippet) ⇒ Object

# File 'app/models/ability.rb', line 108

def anonymous_project_snippet_abilities(snippet)
  if snippet.public?
    [:read_project_snippet]
  else
    []
  end
end

.anonymous_user_abilities ⇒ Object

# File 'app/models/ability.rb', line 116

def anonymous_user_abilities
  [:read_user] unless restricted_public_level?
end

.can_read_group?(user, group) ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/ability.rb', line 318

def can_read_group?(user, group)
  return true if user.admin?
  return true if group.public?
  return true if group.internal? && !user.external?
  return true if group.users.include?(user)

  GroupProjectsFinder.new(group).execute(user).any?
end

.commit_status_abilities(user, subject) ⇒ Object

# File 'app/models/ability.rb', line 450

def commit_status_abilities(user, subject)
  rules = project_abilities(user, subject.project)
  # If subject is Ci::Build which inherits from CommitStatus filter the abilities
  rules = filter_build_abilities(rules) if subject.is_a?(Ci::Build)
  rules
end

.external_issue_abilities(user, subject) ⇒ Object

# File 'app/models/ability.rb', line 478

def external_issue_abilities(user, subject)
  project_abilities(user, subject.project)
end

.filter_build_abilities(rules) ⇒ Object

# File 'app/models/ability.rb', line 457

def filter_build_abilities(rules)
  # If we can't read build we should also not have that
  # ability when looking at this in context of commit_status
  %w(read create update admin).each do |rule|
    rules.delete(:"#{rule}_commit_status") unless rules.include?(:"#{rule}_build")
  end
  rules
end

.global_abilities(user) ⇒ Object

# File 'app/models/ability.rb', line 120

def global_abilities(user)
  rules = []
  rules << :create_group if user.can_create_group
  rules << :read_users_list
  rules
end

.group_abilities(user, group) ⇒ Object

# File 'app/models/ability.rb', line 293

def group_abilities(user, group)
  rules = []
  rules << :read_group if can_read_group?(user, group)

  # Only group masters and group owners can create new projects
  if group.has_master?(user) || group.has_owner?(user) || user.admin?
    rules += [
      :create_projects,
      :admin_milestones
    ]
  end

  # Only group owner and administrators can admin group
  if group.has_owner?(user) || user.admin?
    rules += [
      :admin_group,
      :admin_namespace,
      :admin_group_member,
      :change_visibility_level
    ]
  end

  rules.flatten
end

.group_member_abilities(user, subject) ⇒ Object

# File 'app/models/ability.rb', line 412

def group_member_abilities(user, subject)
  rules = []
  target_user = subject.user
  group = subject.group

  unless group.last_owner?(target_user)
    can_manage = group_abilities(user, group).include?(:admin_group_member)

    if can_manage
      rules << :update_group_member
      rules << :destroy_group_member
    elsif user == target_user
      rules << :destroy_group_member
    end
  end

  rules
end

.namespace_abilities(user, namespace) ⇒ Object

# File 'app/models/ability.rb', line 327

def namespace_abilities(user, namespace)
  rules = []

  # Only namespace owner and administrators can admin it
  if namespace.owner == user || user.admin?
    rules += [
      :create_projects,
      :admin_namespace
    ]
  end

  rules.flatten
end

.note_abilities(user, note) ⇒ Object

# File 'app/models/ability.rb', line 358

def note_abilities(user, note)
  rules = []

  if note.author == user
    rules += [
      :read_note,
      :update_note,
      :admin_note
    ]
  end

  if note.respond_to?(:project) && note.project
    rules += project_abilities(user, note.project)
  end

  rules
end

.personal_snippet_abilities(user, snippet) ⇒ Object

# File 'app/models/ability.rb', line 376

def personal_snippet_abilities(user, snippet)
  rules = []

  if snippet.author == user
    rules += [
      :read_personal_snippet,
      :update_personal_snippet,
      :admin_personal_snippet
    ]
  end

  if snippet.public? || (snippet.internal? && !user.external?)
    rules << :read_personal_snippet
  end

  rules
end

.project_abilities(user, project) ⇒ Object

# File 'app/models/ability.rb', line 127

def project_abilities(user, project)
  rules = []
  key = "/user/#{user.id}/project/#{project.id}"

  RequestStore.store[key] ||= begin
    # Push abilities on the users team role
    rules.push(*project_team_rules(project.team, user))

    if project.owner == user ||
      (project.group && project.group.has_owner?(user)) ||
      user.admin?

      rules.push(*project_owner_rules)
    end

    if project.public? || (project.internal? && !user.external?)
      rules.push(*public_project_rules)

      # Allow to read builds for internal projects
      rules << :read_build if project.public_builds?
    end

    if project.archived?
      rules -= project_archived_rules
    end

    rules - project_disabled_features_rules(project)
  end
end

.project_archived_rules ⇒ Object

# File 'app/models/ability.rb', line 223

def project_archived_rules
  @project_archived_rules ||= [
    :create_merge_request,
    :push_code,
    :push_code_to_protected_branches,
    :update_merge_request,
    :admin_merge_request
  ]
end

.project_dev_rules ⇒ Object

# File 'app/models/ability.rb', line 209

def project_dev_rules
  @project_dev_rules ||= project_report_rules + [
    :admin_merge_request,
    :update_merge_request,
    :create_commit_status,
    :update_commit_status,
    :create_build,
    :update_build,
    :create_merge_request,
    :create_wiki,
    :push_code
  ]
end

.project_disabled_features_rules(project) ⇒ Object

# File 'app/models/ability.rb', line 262

def project_disabled_features_rules(project)
  rules = []

  unless project.issues_enabled
    rules += named_abilities('issue')
  end

  unless project.merge_requests_enabled
    rules += named_abilities('merge_request')
  end

  unless project.issues_enabled or project.merge_requests_enabled
    rules += named_abilities('label')
    rules += named_abilities('milestone')
  end

  unless project.snippets_enabled
    rules += named_abilities('project_snippet')
  end

  unless project.wiki_enabled
    rules += named_abilities('wiki')
  end

  unless project.builds_enabled
    rules += named_abilities('build')
  end

  rules
end

.project_guest_rules ⇒ Object

# File 'app/models/ability.rb', line 178

def project_guest_rules
  @project_guest_rules ||= [
    :read_project,
    :read_wiki,
    :read_issue,
    :read_label,
    :read_milestone,
    :read_project_snippet,
    :read_project_member,
    :read_merge_request,
    :read_note,
    :create_project,
    :create_issue,
    :create_note,
    :upload_file
  ]
end

.project_master_rules ⇒ Object

# File 'app/models/ability.rb', line 233

def project_master_rules
  @project_master_rules ||= project_dev_rules + [
    :push_code_to_protected_branches,
    :update_project_snippet,
    :admin_milestone,
    :admin_project_snippet,
    :admin_project_member,
    :admin_merge_request,
    :admin_note,
    :admin_wiki,
    :admin_project,
    :admin_commit_status,
    :admin_build
  ]
end

.project_member_abilities(user, subject) ⇒ Object

# File 'app/models/ability.rb', line 431

def project_member_abilities(user, subject)
  rules = []
  target_user = subject.user
  project = subject.project

  unless target_user == project.owner
    can_manage = project_abilities(user, project).include?(:admin_project_member)

    if can_manage
      rules << :update_project_member
      rules << :destroy_project_member
    elsif user == target_user
      rules << :destroy_project_member
    end
  end

  rules
end

.project_owner_rules ⇒ Object

# File 'app/models/ability.rb', line 249

def project_owner_rules
  @project_owner_rules ||= project_master_rules + [
    :change_namespace,
    :change_visibility_level,
    :rename_project,
    :remove_project,
    :archive_project,
    :remove_fork_project,
    :destroy_merge_request,
    :destroy_issue
  ]
end

.project_report_rules ⇒ Object

# File 'app/models/ability.rb', line 196

def project_report_rules
  @project_report_rules ||= project_guest_rules + [
    :download_code,
    :fork_project,
    :create_project_snippet,
    :update_issue,
    :admin_issue,
    :admin_label,
    :read_commit_status,
    :read_build,
  ]
end

.project_snippet_abilities(user, snippet) ⇒ Object

# File 'app/models/ability.rb', line 394

def project_snippet_abilities(user, snippet)
  rules = []

  if snippet.author == user || user.admin?
    rules += [
      :read_project_snippet,
      :update_project_snippet,
      :admin_project_snippet
    ]
  end

  if snippet.public? || (snippet.internal? && !user.external?) || (snippet.private? && snippet.project.team.member?(user))
    rules << :read_project_snippet
  end

  rules
end

.project_team_rules(team, user) ⇒ Object

# File 'app/models/ability.rb', line 157

def project_team_rules(team, user)
  # Rules based on role in project
  if team.master?(user)
    project_master_rules
  elsif team.developer?(user)
    project_dev_rules
  elsif team.reporter?(user)
    project_report_rules
  elsif team.guest?(user)
    project_guest_rules
  end
end

.public_project_rules ⇒ Object

# File 'app/models/ability.rb', line 170

def public_project_rules
  @public_project_rules ||= project_guest_rules + [
    :download_code,
    :fork_project,
    :read_commit_status
  ]
end

.user_abilities ⇒ Object

# File 'app/models/ability.rb', line 466

def user_abilities
  [:read_user]
end