BigW Consortium Gitlab

ability.rb 5.16 KB
Newer Older
gitlabhq committed
1
class Ability
Andrey Kumanyaev committed
2
  class << self
3
    def allowed(user, subject)
4
      return not_auth_abilities(user, subject) if user.nil?
5
      return [] unless user.kind_of?(User)
6
      return [] if user.blocked?
7

Andrey Kumanyaev committed
8
      case subject.class.name
9 10 11
      when "Project" then project_abilities(user, subject)
      when "Issue" then issue_abilities(user, subject)
      when "Note" then note_abilities(user, subject)
12
      when "ProjectSnippet" then project_snippet_abilities(user, subject)
13
      when "PersonalSnippet" then personal_snippet_abilities(user, subject)
14
      when "MergeRequest" then merge_request_abilities(user, subject)
15 16
      when "Group" then group_abilities(user, subject)
      when "Namespace" then namespace_abilities(user, subject)
Andrey Kumanyaev committed
17
      else []
18 19 20
      end.concat(global_abilities(user))
    end

21 22 23 24 25 26 27 28 29 30 31
    # List of possible abilities
    # for non-authenticated user
    def not_auth_abilities(user, subject)
      project = if subject.kind_of?(Project)
                  subject
                elsif subject.respond_to?(:project)
                  subject.project
                else
                  nil
                end

32
      if project && project.public?
33 34 35 36 37 38 39 40 41 42 43
        [
          :read_project,
          :read_wiki,
          :read_issue,
          :read_milestone,
          :read_project_snippet,
          :read_team_member,
          :read_merge_request,
          :read_note,
          :download_code
        ]
44 45 46 47 48
      else
        []
      end
    end

49 50 51 52
    def global_abilities(user)
      rules = []
      rules << :create_group if user.can_create_group
      rules
gitlabhq committed
53 54
    end

Andrey Kumanyaev committed
55 56
    def project_abilities(user, project)
      rules = []
gitlabhq committed
57

58 59
      team = project.team

60
      # Rules based on role in project
61
      if team.masters.include?(user)
62
        rules += project_master_rules
63

64
      elsif team.developers.include?(user)
65
        rules += project_dev_rules
66

67
      elsif team.reporters.include?(user)
68
        rules += project_report_rules
69

70
      elsif team.guests.include?(user)
71
        rules += project_guest_rules
72 73
      end

74
      if project.public? || project.internal?
75
        rules += public_project_rules
76 77
      end

78
      if project.owner == user || user.admin?
79
        rules += project_admin_rules
80 81
      end

82
      if project.group && project.group.has_owner?(user)
83
        rules += project_admin_rules
84 85
      end

86 87 88 89 90
      if project.archived?
        rules -= project_archived_rules
      end

      rules
91 92
    end

93
    def public_project_rules
94
      project_guest_rules + [
95
        :download_code,
96
        :fork_project
97 98 99
      ]
    end

100 101
    def project_guest_rules
      [
Andrey Kumanyaev committed
102 103 104 105
        :read_project,
        :read_wiki,
        :read_issue,
        :read_milestone,
Andrew8xx8 committed
106
        :read_project_snippet,
Andrey Kumanyaev committed
107 108 109 110 111
        :read_team_member,
        :read_merge_request,
        :read_note,
        :write_project,
        :write_issue,
112
        :write_note
113 114
      ]
    end
Dmitriy Zaporozhets committed
115

116 117
    def project_report_rules
      project_guest_rules + [
Andrey Kumanyaev committed
118
        :download_code,
119
        :fork_project,
Andrew8xx8 committed
120
        :write_project_snippet
121 122
      ]
    end
Dmitriy Zaporozhets committed
123

124 125
    def project_dev_rules
      project_report_rules + [
126
        :write_merge_request,
127 128
        :write_wiki,
        :push_code
129 130
      ]
    end
131

132 133 134 135 136 137 138 139 140 141
    def project_archived_rules
      [
        :write_merge_request,
        :push_code,
        :push_code_to_protected_branches,
        :modify_merge_request,
        :admin_merge_request
      ]
    end

142 143 144
    def project_master_rules
      project_dev_rules + [
        :push_code_to_protected_branches,
Andrey Kumanyaev committed
145
        :modify_issue,
Andrew8xx8 committed
146
        :modify_project_snippet,
Andrey Kumanyaev committed
147 148 149
        :modify_merge_request,
        :admin_issue,
        :admin_milestone,
Andrew8xx8 committed
150
        :admin_project_snippet,
Andrey Kumanyaev committed
151 152 153
        :admin_team_member,
        :admin_merge_request,
        :admin_note,
154 155
        :admin_wiki,
        :admin_project
156 157
      ]
    end
gitlabhq committed
158

159 160
    def project_admin_rules
      project_master_rules + [
161
        :change_namespace,
162
        :change_visibility_level,
163
        :rename_project,
164 165
        :remove_project,
        :archive_project
166
      ]
Andrey Kumanyaev committed
167
    end
gitlabhq committed
168

169 170 171
    def group_abilities user, group
      rules = []

172
      if group.users.include?(user) || user.admin?
173 174 175
        rules << :read_group
      end

176
      # Only group owner and administrators can manage group
177
      if group.has_owner?(user) || user.admin?
178
        rules += [
179 180
          :manage_group,
          :manage_namespace
181 182
        ]
      end
183 184 185 186

      rules.flatten
    end

187 188 189 190 191
    def namespace_abilities user, namespace
      rules = []

      # Only namespace owner and administrators can manage it
      if namespace.owner == user || user.admin?
192
        rules += [
193 194 195 196 197 198 199
          :manage_namespace
        ]
      end

      rules.flatten
    end

200
    [:issue, :note, :project_snippet, :personal_snippet, :merge_request].each do |name|
gitlabhq committed
201 202 203 204 205
      define_method "#{name}_abilities" do |user, subject|
        if subject.author == user
          [
            :"read_#{name}",
            :"write_#{name}",
206
            :"modify_#{name}",
gitlabhq committed
207 208
            :"admin_#{name}"
          ]
209 210 211 212 213 214
        elsif subject.respond_to?(:assignee) && subject.assignee == user
          [
            :"read_#{name}",
            :"write_#{name}",
            :"modify_#{name}",
          ]
gitlabhq committed
215
        else
Andrey Kumanyaev committed
216
          subject.respond_to?(:project) ? project_abilities(user, subject.project) : []
gitlabhq committed
217 218 219 220
        end
      end
    end
  end
gitlabhq committed
221
end