BigW Consortium Gitlab

project_feature.rb 2.77 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
class ProjectFeature < ActiveRecord::Base
  # == Project features permissions
  #
  # Grants access level to project tools
  #
  # Tools can be enabled only for users, everyone or disabled
  # Access control is made only for non private projects
  #
  # levels:
  #
  # Disabled: not enabled for anyone
  # Private:  enabled only for team members
  # Enabled:  enabled for everyone able to access the project
  #

16
  # Permission levels
17 18 19 20
  DISABLED = 0
  PRIVATE  = 10
  ENABLED  = 20

21
  FEATURES = %i(issues merge_requests wiki snippets builds repository).freeze
22

23 24 25 26 27 28 29 30 31
  class << self
    def access_level_attribute(feature)
      feature = feature.model_name.plural.to_sym if feature.respond_to?(:model_name)
      raise ArgumentError, "invalid project feature: #{feature}" unless FEATURES.include?(feature)

      "#{feature}_access_level".to_sym
    end
  end

32 33 34 35
  # Default scopes force us to unscope here since a service may need to check
  # permissions for a project in pending_delete
  # http://stackoverflow.com/questions/1540645/how-to-disable-default-scope-for-a-belongs-to
  belongs_to :project, -> { unscope(where: :pending_delete) }
36

37 38
  validate :repository_children_level

39 40 41 42 43
  default_value_for :builds_access_level,         value: ENABLED, allows_nil: false
  default_value_for :issues_access_level,         value: ENABLED, allows_nil: false
  default_value_for :merge_requests_access_level, value: ENABLED, allows_nil: false
  default_value_for :snippets_access_level,       value: ENABLED, allows_nil: false
  default_value_for :wiki_access_level,           value: ENABLED, allows_nil: false
44
  default_value_for :repository_access_level,     value: ENABLED, allows_nil: false
45

46
  def feature_available?(feature, user)
47 48
    access_level = public_send(ProjectFeature.access_level_attribute(feature))
    get_permission(user, access_level)
49 50 51 52 53 54 55 56 57 58 59 60 61 62
  end

  def builds_enabled?
    builds_access_level > DISABLED
  end

  def wiki_enabled?
    wiki_access_level > DISABLED
  end

  def merge_requests_enabled?
    merge_requests_access_level > DISABLED
  end

63 64 65 66
  def issues_enabled?
    issues_access_level > DISABLED
  end

67 68
  private

69 70 71 72 73 74 75 76 77 78 79 80
  # Validates builds and merge requests access level
  # which cannot be higher than repository access level
  def repository_children_level
    validator = lambda do |field|
      level = public_send(field) || ProjectFeature::ENABLED
      not_allowed = level > repository_access_level
      self.errors.add(field, "cannot have higher visibility level than repository access level") if not_allowed
    end

    %i(merge_requests_access_level builds_access_level).each(&validator)
  end

81 82 83 84 85 86 87 88 89 90 91 92 93
  def get_permission(user, level)
    case level
    when DISABLED
      false
    when PRIVATE
      user && (project.team.member?(user) || user.admin?)
    when ENABLED
      true
    else
      true
    end
  end
end