BigW Consortium Gitlab

project_policy.rb 7.03 KB
Newer Older
1
class ProjectPolicy < BasePolicy
2 3 4
  def rules
    team_access!(user)

5 6
    owner_access! if user.admin? || owner?
    team_member_owner_access! if owner?
7 8 9 10

    if project.public? || (project.internal? && !user.external?)
      guest_access!
      public_access!
11
      can! :request_access if access_requestable?
12 13 14 15 16 17 18
    end

    archived_access! if project.archived?

    disabled_features!
  end

19 20 21 22
  def project
    @subject
  end

23 24 25 26 27 28 29
  def owner?
    return @owner if defined?(@owner)

    @owner = project.owner == user ||
      (project.group && project.group.has_owner?(user))
  end

30 31 32 33 34 35 36 37 38 39 40 41 42 43 44
  def guest_access!
    can! :read_project
    can! :read_board
    can! :read_list
    can! :read_wiki
    can! :read_issue
    can! :read_label
    can! :read_milestone
    can! :read_project_snippet
    can! :read_project_member
    can! :read_note
    can! :create_project
    can! :create_issue
    can! :create_note
    can! :upload_file
45
    can! :read_cycle_analytics
46 47 48

    if project.public_builds?
      can! :read_pipeline
49
      can! :read_pipeline_schedule
50 51
      can! :read_build
    end
52 53 54 55
  end

  def reporter_access!
    can! :download_code
56
    can! :download_wiki_code
57 58 59 60 61
    can! :fork_project
    can! :create_project_snippet
    can! :update_issue
    can! :admin_issue
    can! :admin_label
62
    can! :admin_list
63 64 65 66
    can! :read_commit_status
    can! :read_build
    can! :read_container_image
    can! :read_pipeline
67
    can! :read_pipeline_schedule
68 69
    can! :read_environment
    can! :read_deployment
70
    can! :read_merge_request
71 72
  end

73
  # Permissions given when an user is team member of a project
74 75 76
  def team_member_reporter_access!
    can! :build_download_code
    can! :build_read_container_image
77 78
  end

79 80 81 82 83 84 85 86 87
  def developer_access!
    can! :admin_merge_request
    can! :update_merge_request
    can! :create_commit_status
    can! :update_commit_status
    can! :create_build
    can! :update_build
    can! :create_pipeline
    can! :update_pipeline
88 89
    can! :create_pipeline_schedule
    can! :update_pipeline_schedule
90 91 92
    can! :create_merge_request
    can! :create_wiki
    can! :push_code
93
    can! :resolve_note
94 95 96 97 98 99 100
    can! :create_container_image
    can! :update_container_image
    can! :create_environment
    can! :create_deployment
  end

  def master_access!
101
    can! :delete_protected_branch
102 103 104 105 106 107 108 109 110 111 112 113 114
    can! :update_project_snippet
    can! :update_environment
    can! :update_deployment
    can! :admin_milestone
    can! :admin_project_snippet
    can! :admin_project_member
    can! :admin_note
    can! :admin_wiki
    can! :admin_project
    can! :admin_commit_status
    can! :admin_build
    can! :admin_container_image
    can! :admin_pipeline
115
    can! :admin_pipeline_schedule
116 117
    can! :admin_environment
    can! :admin_deployment
Kamil Trzcinski committed
118 119
    can! :admin_pages
    can! :read_pages
120
    can! :update_pages
121 122 123 124 125 126 127
  end

  def public_access!
    can! :download_code
    can! :fork_project
    can! :read_commit_status
    can! :read_pipeline
128
    can! :read_pipeline_schedule
129
    can! :read_container_image
130 131
    can! :build_download_code
    can! :build_read_container_image
132
    can! :read_merge_request
133 134 135 136 137 138 139 140 141 142 143 144 145 146 147
  end

  def owner_access!
    guest_access!
    reporter_access!
    developer_access!
    master_access!
    can! :change_namespace
    can! :change_visibility_level
    can! :rename_project
    can! :remove_project
    can! :archive_project
    can! :remove_fork_project
    can! :destroy_merge_request
    can! :destroy_issue
Kamil Trzcinski committed
148
    can! :remove_pages
149 150
  end

151 152 153 154
  def team_member_owner_access!
    team_member_reporter_access!
  end

155
  # Push abilities on the users team role
156 157
  def team_access!(user)
    access = project.team.max_member_access(user.id)
158

159 160 161 162 163 164 165 166 167 168 169 170
    return if access < Gitlab::Access::GUEST
    guest_access!

    return if access < Gitlab::Access::REPORTER
    reporter_access!
    team_member_reporter_access!

    return if access < Gitlab::Access::DEVELOPER
    developer_access!

    return if access < Gitlab::Access::MASTER
    master_access!
171 172 173 174 175
  end

  def archived_access!
    cannot! :create_merge_request
    cannot! :push_code
176
    cannot! :delete_protected_branch
177 178 179 180 181
    cannot! :update_merge_request
    cannot! :admin_merge_request
  end

  def disabled_features!
182 183
    repository_enabled = project.feature_available?(:repository, user)

184
    block_issues_abilities
185

186
    unless project.feature_available?(:merge_requests, user) && repository_enabled
187 188 189
      cannot!(*named_abilities(:merge_request))
    end

190
    unless project.feature_available?(:issues, user) || project.feature_available?(:merge_requests, user)
191 192 193 194
      cannot!(*named_abilities(:label))
      cannot!(*named_abilities(:milestone))
    end

195
    unless project.feature_available?(:snippets, user)
196 197 198
      cannot!(*named_abilities(:project_snippet))
    end

199
    unless project.feature_available?(:wiki, user) || project.has_external_wiki?
200
      cannot!(*named_abilities(:wiki))
201
      cannot!(:download_wiki_code)
202 203
    end

204
    unless project.feature_available?(:builds, user) && repository_enabled
205 206
      cannot!(*named_abilities(:build))
      cannot!(*named_abilities(:pipeline))
207
      cannot!(*named_abilities(:pipeline_schedule))
208 209 210 211
      cannot!(*named_abilities(:environment))
      cannot!(*named_abilities(:deployment))
    end

212 213
    unless repository_enabled
      cannot! :push_code
214
      cannot! :delete_protected_branch
215 216 217 218 219
      cannot! :download_code
      cannot! :fork_project
      cannot! :read_commit_status
    end

220 221 222 223 224
    unless project.container_registry_enabled
      cannot!(*named_abilities(:container_image))
    end
  end

225 226 227
  def anonymous_rules
    return unless project.public?

228
    base_readonly_access!
229

230 231 232 233 234 235
    # Allow to read builds by anonymous user if guests are allowed
    can! :read_build if project.public_builds?

    disabled_features!
  end

236 237 238 239 240 241 242 243 244
  def block_issues_abilities
    unless project.feature_available?(:issues, user)
      cannot! :read_issue if project.default_issues_tracker?
      cannot! :create_issue
      cannot! :update_issue
      cannot! :admin_issue
    end
  end

245 246 247 248 249 250 251 252
  def named_abilities(name)
    [
      :"read_#{name}",
      :"create_#{name}",
      :"update_#{name}",
      :"admin_#{name}"
    ]
  end
253 254 255

  private

256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271
  def project_group_member?(user)
    project.group &&
      (
        project.group.members_with_parents.exists?(user_id: user.id) ||
        project.group.requesters.exists?(user_id: user.id)
      )
  end

  def access_requestable?
    project.request_access_enabled &&
      !owner? &&
      !user.admin? &&
      !project.team.member?(user) &&
      !project_group_member?(user)
  end

272 273 274 275 276 277 278 279 280 281 282 283 284 285 286
  # A base set of abilities for read-only users, which
  # is then augmented as necessary for anonymous and other
  # read-only users.
  def base_readonly_access!
    can! :read_project
    can! :read_board
    can! :read_list
    can! :read_wiki
    can! :read_label
    can! :read_milestone
    can! :read_project_snippet
    can! :read_project_member
    can! :read_merge_request
    can! :read_note
    can! :read_pipeline
287
    can! :read_pipeline_schedule
288 289 290 291 292 293 294 295 296
    can! :read_commit_status
    can! :read_container_image
    can! :download_code
    can! :download_wiki_code
    can! :read_cycle_analytics

    # NOTE: may be overridden by IssuePolicy
    can! :read_issue
  end
297
end