convert all the policies to DeclarativePolicy

4 files changed, 28 insertions, 40 deletions

diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index 2d7405dc240..a886efc1360 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -1,29 +1,13 @@
 module Ci
   class BuildPolicy < CommitStatusPolicy
-    alias_method :build, :subject
-
-    def rules
-      super
-
-      # If we can't read build we should also not have that
-      # ability when looking at this in context of commit_status
-      %w[read create update admin].each do |rule|
-        cannot! :"#{rule}_commit_status" unless can? :"#{rule}_build"
-      end
-
-      if can?(:update_build) && protected_action?
-        cannot! :update_build
-      end
-    end
-
-    private
-
-    def protected_action?
-      return false unless build.action?
+    condition(:protected_action) do
+      next false unless @subject.action?
 
       !::Gitlab::UserAccess
-        .new(user, project: build.project)
-        .can_merge_to_branch?(build.ref)
+        .new(@user, project: @subject.project)
+        .can_merge_to_branch?(@subject.ref)
     end
+
+    rule { protected_action }.prevent :update_build
   end
 end
diff --git a/app/policies/ci/pipeline_policy.rb b/app/policies/ci/pipeline_policy.rb
index 10aa2d3e72a..a2dde95dbc8 100644
--- a/app/policies/ci/pipeline_policy.rb
+++ b/app/policies/ci/pipeline_policy.rb
@@ -1,7 +1,5 @@
 module Ci
   class PipelinePolicy < BasePolicy
-    def rules
-      delegate! @subject.project
-    end
+    delegate { @subject.project }
   end
 end
diff --git a/app/policies/ci/runner_policy.rb b/app/policies/ci/runner_policy.rb
index 416d93ffe63..7dff8470e23 100644
--- a/app/policies/ci/runner_policy.rb
+++ b/app/policies/ci/runner_policy.rb
@@ -1,13 +1,16 @@
 module Ci
   class RunnerPolicy < BasePolicy
-    def rules
-      return unless @user
+    with_options scope: :subject, score: 0
+    condition(:shared) { @subject.is_shared? }
 
-      can! :assign_runner if @user.admin?
+    with_options scope: :subject, score: 0
+    condition(:locked, scope: :subject) { @subject.locked? }
 
-      return if @subject.is_shared? || @subject.locked?
+    condition(:authorized_runner) { @user.ci_authorized_runners.include?(@subject) }
 
-      can! :assign_runner if @user.ci_authorized_runners.include?(@subject)
-    end
+    rule { anonymous }.prevent_all
+    rule { admin | authorized_runner }.enable :assign_runner
+    rule { ~admin & shared }.prevent :assign_runner
+    rule { ~admin & locked }.prevent :assign_runner
   end
 end
diff --git a/app/policies/ci/trigger_policy.rb b/app/policies/ci/trigger_policy.rb
index c90c9ac0583..5592ac30812 100644
--- a/app/policies/ci/trigger_policy.rb
+++ b/app/policies/ci/trigger_policy.rb
@@ -1,13 +1,16 @@
 module Ci
   class TriggerPolicy < BasePolicy
-    def rules
-      delegate! @subject.project
-
-      if can?(:admin_build)
-        can! :admin_trigger if @subject.owner.blank? ||
-            @subject.owner == @user
-        can! :manage_trigger
-      end
-    end
+    delegate { @subject.project }
+
+    with_options scope: :subject, score: 0
+    condition(:legacy) { @subject.legacy? }
+
+    with_score 0
+    condition(:is_owner) { @user && @subject.owner_id == @user.id }
+
+    rule { ~can?(:admin_build) }.prevent :admin_trigger
+    rule { legacy | is_owner }.enable :admin_trigger
+
+    rule { can?(:admin_build) }.enable :manage_trigger
   end
 end