BigW Consortium Gitlab

member.rb 7.6 KB
Newer Older
1
class Member < ActiveRecord::Base
2
  include Sortable
3
  include Importable
4
  include Expirable
5 6
  include Gitlab::Access

7 8
  attr_accessor :raw_invite_token

9
  belongs_to :created_by, class_name: "User"
10 11 12
  belongs_to :user
  belongs_to :source, polymorphic: true

13
  validates :user, presence: true, unless: :invite?
14
  validates :source, presence: true
15
  validates :user_id, uniqueness: { scope: [:source_type, :source_id],
16 17
                                    message: "already exists in source",
                                    allow_nil: true }
18
  validates :access_level, inclusion: { in: Gitlab::Access.all_values }, presence: true
Douwe Maan committed
19 20 21 22
  validates :invite_email,
    presence: {
      if: :invite?
    },
23
    email: {
Douwe Maan committed
24 25 26 27 28 29
      allow_nil: true
    },
    uniqueness: {
      scope: [:source_type, :source_id],
      allow_nil: true
    }
30

31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46
  # This scope encapsulates (most of) the conditions a row in the member table
  # must satisfy if it is a valid permission. Of particular note:
  #
  #   * Access requests must be excluded
  #   * Blocked users must be excluded
  #   * Invitations take effect immediately
  #   * expires_at is not implemented. A background worker purges expired rows
  scope :active, -> do
    is_external_invite = arel_table[:user_id].eq(nil).and(arel_table[:invite_token].not_eq(nil))
    user_is_active = User.arel_table[:state].eq(:active)

    includes(:user).references(:users)
      .where(is_external_invite.or(user_is_active))
      .where(requested_at: nil)
  end

47
  scope :invite, -> { where.not(invite_token: nil) }
48
  scope :non_invite, -> { where(invite_token: nil) }
49
  scope :request, -> { where.not(requested_at: nil) }
50 51 52 53 54 55 56 57 58

  scope :has_access, -> { active.where('access_level > 0') }

  scope :guests, -> { active.where(access_level: GUEST) }
  scope :reporters, -> { active.where(access_level: REPORTER) }
  scope :developers, -> { active.where(access_level: DEVELOPER) }
  scope :masters,  -> { active.where(access_level: MASTER) }
  scope :owners,  -> { active.where(access_level: OWNER) }
  scope :owners_and_masters,  -> { active.where(access_level: [OWNER, MASTER]) }
59

60
  before_validation :generate_invite_token, on: :create, if: -> (member) { member.invite_email.present? }
61

62
  after_create :send_invite, if: :invite?, unless: :importing?
James Lopez committed
63 64 65
  after_create :send_request, if: :request?, unless: :importing?
  after_create :create_notification_setting, unless: [:pending?, :importing?]
  after_create :post_create_hook, unless: [:pending?, :importing?]
66
  after_create :refresh_member_authorized_projects, if: :importing?
James Lopez committed
67
  after_update :post_update_hook, unless: [:pending?, :importing?]
68
  after_destroy :post_destroy_hook, unless: :pending?
69

70
  delegate :name, :username, :email, to: :user, prefix: true
71

72 73
  default_value_for :notification_level, NotificationSetting.levels[:global]

74
  class << self
Stan Hu committed
75
    def access_for_user_ids(user_ids)
Adam Niedzielski committed
76
      where(user_id: user_ids).has_access.pluck(:user_id, :access_level).to_h
Stan Hu committed
77 78
    end

79 80 81 82 83
    def find_by_invite_token(invite_token)
      invite_token = Devise.token_generator.digest(self, :invite_token, invite_token)
      find_by(invite_token: invite_token)
    end

84 85 86
    def add_user(source, user, access_level, current_user: nil, expires_at: nil)
      user = retrieve_user(user)
      access_level = retrieve_access_level(access_level)
87

88
      # `user` can be either a User object or an email to be invited
89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106
      member =
        if user.is_a?(User)
          source.members.find_by(user_id: user.id) ||
          source.requesters.find_by(user_id: user.id) ||
          source.members.build(user_id: user.id)
        else
          source.members.build(invite_email: user)
        end

      return member unless can_update_member?(current_user, member)

      member.attributes = {
        created_by: member.created_by || current_user,
        access_level: access_level,
        expires_at: expires_at
      }

      if member.request?
107 108 109 110 111 112
        ::Members::ApproveAccessRequestService.new(
          source,
          current_user,
          id: member.id,
          access_level: access_level
        ).execute
113
      else
114
        member.save
115
      end
116

117 118
      UserProjectAccessChangedService.new(user.id).execute if user.is_a?(User)

119 120
      member
    end
121

122 123
    def access_levels
      Gitlab::Access.sym_options
124
    end
125 126 127

    private

128 129 130 131 132 133 134 135 136 137 138 139
    # This method is used to find users that have been entered into the "Add members" field.
    # These can be the User objects directly, their IDs, their emails, or new emails to be invited.
    def retrieve_user(user)
      return user if user.is_a?(User)

      User.find_by(id: user) || User.find_by(email: user) || user
    end

    def retrieve_access_level(access_level)
      access_levels.fetch(access_level) { access_level.to_i }
    end

140
    def can_update_member?(current_user, member)
Douwe Maan committed
141
      # There is no current user for bulk actions, in which case anything is allowed
142
      !current_user || current_user.can?(:"update_#{member.type.underscore}", member)
143
    end
144

145 146 147 148 149 150 151 152 153 154
    def add_users_to_source(source, users, access_level, current_user: nil, expires_at: nil)
      users.each do |user|
        add_user(
          source,
          user,
          access_level,
          current_user: current_user,
          expires_at: expires_at
        )
      end
155
    end
Douwe Maan committed
156 157
  end

158 159 160 161
  def real_source_type
    source_type
  end

162 163 164 165
  def invite?
    self.invite_token.present?
  end

166
  def request?
167
    requested_at.present?
168 169
  end

170 171
  def pending?
    invite? || request?
172 173
  end

174
  def accept_request
175 176
    return false unless request?

177
    updated = self.update(requested_at: nil)
178
    after_accept_request if updated
179

180
    updated
181 182
  end

183
  def accept_invite!(new_user)
Douwe Maan committed
184
    return false unless invite?
185

186 187 188 189 190 191 192 193 194 195 196 197
    self.invite_token = nil
    self.invite_accepted_at = Time.now.utc

    self.user = new_user

    saved = self.save

    after_accept_invite if saved

    saved
  end

Douwe Maan committed
198 199 200 201 202 203 204 205 206 207
  def decline_invite!
    return false unless invite?

    destroyed = self.destroy

    after_decline_invite if destroyed

    destroyed
  end

208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225
  def generate_invite_token
    raw, enc = Devise.token_generator.generate(self.class, :invite_token)
    @raw_invite_token = raw
    self.invite_token = enc
  end

  def generate_invite_token!
    generate_invite_token && save(validate: false)
  end

  def resend_invite
    return unless invite?

    generate_invite_token! unless @raw_invite_token

    send_invite
  end

226
  def create_notification_setting
227
    user.notification_settings.find_or_create_for(source)
228 229
  end

230
  def notification_setting
231
    @notification_setting ||= user.notification_settings_for(source)
232 233
  end

234 235 236 237 238 239
  private

  def send_invite
    # override in subclass
  end

240
  def send_request
241
    notification_service.new_access_request(self)
242 243 244
  end

  def post_create_hook
245
    UserProjectAccessChangedService.new(user.id).execute
246 247 248 249
    system_hook_service.execute_hooks_for(self, :create)
  end

  def post_update_hook
250
    UserProjectAccessChangedService.new(user.id).execute if access_level_changed?
251 252 253
  end

  def post_destroy_hook
254
    refresh_member_authorized_projects
255 256 257
    system_hook_service.execute_hooks_for(self, :destroy)
  end

258 259 260 261 262 263 264 265 266
  def refresh_member_authorized_projects
    # If user/source is being destroyed, project access are gonna be destroyed eventually
    # because of DB foreign keys, so we shouldn't bother with refreshing after each
    # member is destroyed through association
    return if destroyed_by_association.present?

    UserProjectAccessChangedService.new(user_id).execute
  end

267 268 269 270
  def after_accept_invite
    post_create_hook
  end

Douwe Maan committed
271 272 273 274
  def after_decline_invite
    # override in subclass
  end

275
  def after_accept_request
276 277 278 279 280 281 282 283 284 285
    post_create_hook
  end

  def system_hook_service
    SystemHooksService.new
  end

  def notification_service
    NotificationService.new
  end
286
end