group_policy.rb 3.64 KB
Newer Older
1 2
# frozen_string_literal: true

http://jneen.net/'s avatar
http://jneen.net/ committed
3
class GroupPolicy < BasePolicy
4 5
  include ClusterableActions

6 7 8 9 10 11 12 13
  desc "Group is public"
  with_options scope: :subject, score: 0
  condition(:public_group) { @subject.public? }

  with_score 0
  condition(:logged_in_viewable) { @user && @subject.internal? && !@user.external? }

  condition(:has_access) { access_level != GroupMember::NO_ACCESS }
http://jneen.net/'s avatar
http://jneen.net/ committed
14

15
  condition(:guest) { access_level >= GroupMember::GUEST }
16
  condition(:developer) { access_level >= GroupMember::DEVELOPER }
17
  condition(:owner) { access_level >= GroupMember::OWNER }
18
  condition(:maintainer) { access_level >= GroupMember::MAINTAINER }
19
  condition(:reporter) { access_level >= GroupMember::REPORTER }
http://jneen.net/'s avatar
http://jneen.net/ committed
20

21
  condition(:nested_groups_supported, scope: :global) { Group.supports_nested_objects? }
22

Michael Kozono's avatar
Michael Kozono committed
23
  condition(:has_parent, scope: :subject) { @subject.has_parent? }
24 25
  condition(:share_with_group_locked, scope: :subject) { @subject.share_with_group_lock? }
  condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? }
Michael Kozono's avatar
Michael Kozono committed
26
  condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) }
27

28
  condition(:has_projects) do
29
    GroupProjectsFinder.new(group: @subject, current_user: @user, options: { include_subgroups: true }).execute.any?
http://jneen.net/'s avatar
http://jneen.net/ committed
30
  end
31

32 33 34
  condition(:has_clusters, scope: :subject) { clusterable_has_clusters? }
  condition(:can_have_multiple_clusters) { multiple_clusters_available? }

35 36 37
  with_options scope: :subject, score: 0
  condition(:request_access_enabled) { @subject.request_access_enabled }

Felipe Artur's avatar
Felipe Artur committed
38 39 40 41 42 43
  rule { public_group }.policy do
    enable :read_group
    enable :read_list
    enable :read_label
  end

44
  rule { logged_in_viewable }.enable :read_group
45 46 47

  rule { guest }.policy do
    enable :read_group
48
    enable :read_list
49
    enable :upload_file
Felipe Artur's avatar
Felipe Artur committed
50
    enable :read_label
51 52
  end

53
  rule { admin }.enable :read_group
54 55 56 57

  rule { has_projects }.policy do
    enable :read_label
  end
58

59 60
  rule { has_access }.enable :read_namespace

61
  rule { developer }.enable :admin_milestone
62 63 64 65 66 67

  rule { reporter }.policy do
    enable :admin_label
    enable :admin_list
    enable :admin_issue
  end
68

69
  rule { maintainer }.policy do
70
    enable :create_projects
Shinya Maeda's avatar
Shinya Maeda committed
71 72
    enable :admin_pipeline
    enable :admin_build
73
    enable :read_cluster
74
    enable :add_cluster
75 76 77
    enable :create_cluster
    enable :update_cluster
    enable :admin_cluster
78 79 80 81 82 83 84
  end

  rule { owner }.policy do
    enable :admin_group
    enable :admin_namespace
    enable :admin_group_member
    enable :change_visibility_level
85 86

    enable :set_note_created_at
87 88
  end

89 90 91 92 93 94 95 96 97 98 99 100 101
  rule { can?(:read_nested_project_resources) }.policy do
    enable :read_group_activity
    enable :read_group_issues
    enable :read_group_boards
    enable :read_group_labels
    enable :read_group_milestones
    enable :read_group_merge_requests
  end

  rule { can?(:read_cross_project) & can?(:read_group) }.policy do
    enable :read_nested_project_resources
  end

102
  rule { owner & nested_groups_supported }.enable :create_subgroup
103 104 105 106 107 108 109 110 111

  rule { public_group | logged_in_viewable }.enable :view_globally

  rule { default }.enable(:request_access)

  rule { ~request_access_enabled }.prevent :request_access
  rule { ~can?(:view_globally) }.prevent   :request_access
  rule { has_access }.prevent              :request_access

Michael Kozono's avatar
Michael Kozono committed
112
  rule { owner & (~share_with_group_locked | ~has_parent | ~parent_share_with_group_locked | can_change_parent_share_with_group_lock) }.enable :change_share_with_group_lock
113

114 115
  rule { ~can_have_multiple_clusters & has_clusters }.prevent :add_cluster

116 117 118 119 120
  def access_level
    return GroupMember::NO_ACCESS if @user.nil?

    @access_level ||= @subject.max_member_access_for_user(@user)
  end
http://jneen.net/'s avatar
http://jneen.net/ committed
121
end