global_policy.rb 1.93 KB
Newer Older
1 2
# frozen_string_literal: true

3
class GlobalPolicy < BasePolicy
4 5
  desc "User is blocked"
  with_options scope: :user, score: 0
6
  condition(:blocked) { @user&.blocked? }
7

8 9
  desc "User is an internal user"
  with_options scope: :user, score: 0
10
  condition(:internal) { @user&.internal? }
11

12 13
  desc "User's access has been locked"
  with_options scope: :user, score: 0
14
  condition(:access_locked) { @user&.access_locked? }
15

16
  condition(:can_create_fork, scope: :user) { @user && @user.manageable_namespaces.any? { |namespace| @user.can?(:create_projects, namespace) } }
17

18 19 20 21
  condition(:required_terms_not_accepted, scope: :user, score: 0) do
    @user&.required_terms_not_accepted?
  end

22
  condition(:private_instance_statistics, score: 0) { Gitlab::CurrentSettings.instance_statistics_visibility_private? }
23 24 25

  rule { admin | (~private_instance_statistics & ~anonymous) }
    .enable :read_instance_statistics
26

27 28 29 30 31 32
  rule { anonymous }.policy do
    prevent :log_in
    prevent :receive_notifications
    prevent :use_quick_actions
    prevent :create_group
  end
33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49

  rule { default }.policy do
    enable :log_in
    enable :access_api
    enable :access_git
    enable :receive_notifications
    enable :use_quick_actions
  end

  rule { blocked | internal }.policy do
    prevent :log_in
    prevent :access_api
    prevent :access_git
    prevent :receive_notifications
    prevent :use_quick_actions
  end

50 51 52 53 54
  rule { required_terms_not_accepted }.policy do
    prevent :access_api
    prevent :access_git
  end

55 56 57 58
  rule { can_create_group }.policy do
    enable :create_group
  end

59 60 61 62
  rule { can_create_fork }.policy do
    enable :create_fork
  end

63 64
  rule { access_locked }.policy do
    prevent :log_in
65
  end
66

67
  rule { ~(anonymous & restricted_public_level) }.policy do
68
    enable :read_users_list
69
  end
70

71 72 73 74
  rule { ~anonymous }.policy do
    enable :read_instance_metadata
  end

75 76 77 78
  rule { admin }.policy do
    enable :read_custom_attribute
    enable :update_custom_attribute
  end
79
end