add support for anonymous abilities

author: http://jneen.net/ <jneen@jneen.net> 2016-08-12 21:36:16 +0300
committer: http://jneen.net/ <jneen@jneen.net> 2016-08-30 21:39:22 +0300
commit: 1ca9b3354a350b83d1e025b3d46280bc5bb60f2b (patch)
tree: 02d4eb19aa65547badc63f7d41c5adbd2fe5439b /app/policies/project_policy.rb
parent: 29b1623a3615fb7683702f4de2dfeafca10f9c1c (diff)
1 files changed, 39 insertions, 13 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 1e82070e62a..95e8b71c102 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -28,6 +28,7 @@ class ProjectPolicy < BasePolicy
     can! :update_issue
     can! :admin_issue
     can! :admin_label
+    can! :admin_list
     can! :read_commit_status
     can! :read_build
     can! :read_container_image
@@ -48,6 +49,7 @@ class ProjectPolicy < BasePolicy
     can! :create_merge_request
     can! :create_wiki
     can! :push_code
+    can! :resolve_note
     can! :create_container_image
     can! :update_container_image
     can! :create_environment
@@ -98,8 +100,8 @@ class ProjectPolicy < BasePolicy
   end
 
   # Push abilities on the users team role
-  def team_access!
-    access = project.team.max_member_access(@user.id)
+  def team_access!(user)
+    access = project.team.max_member_access(user.id)
 
     return if access < Gitlab::Access::GUEST
     guest_access!
@@ -140,7 +142,7 @@ class ProjectPolicy < BasePolicy
       cannot!(*named_abilities(:project_snippet))
     end
 
-    unless project.wiki_enabled
+    unless project.has_wiki?
       cannot!(*named_abilities(:wiki))
     end
 
@@ -156,16 +158,16 @@ class ProjectPolicy < BasePolicy
     end
   end
 
-  def generate!
-    team_access!
+  def rules
+    team_access!(user)
 
-    owner = @user.admin? ||
-            project.owner == @user ||
-            (project.group && project.group.has_owner?(@user))
+    owner = user.admin? ||
+            project.owner == user ||
+            (project.group && project.group.has_owner?(user))
 
     owner_access! if owner
 
-    if project.public? || (project.internal? && !@user.external?)
+    if project.public? || (project.internal? && !user.external?)
       guest_access!
       public_access!
 
@@ -173,7 +175,7 @@ class ProjectPolicy < BasePolicy
       can! :read_build if project.public_builds?
 
       if project.request_access_enabled &&
-         !(owner || project.team.member?(@user) || project_group_member?)
+         !(owner || project.team.member?(user) || project_group_member?(user))
         can! :request_access
       end
     end
@@ -183,11 +185,35 @@ class ProjectPolicy < BasePolicy
     disabled_features!
   end
 
-  def project_group_member?
+  def anonymous_rules
+    return unless project.public?
+
+    can! :read_project
+    can! :read_board
+    can! :read_list
+    can! :read_wiki
+    can! :read_label
+    can! :read_milestone
+    can! :read_project_snippet
+    can! :read_project_member
+    can! :read_merge_request
+    can! :read_note
+    can! :read_pipeline
+    can! :read_commit_status
+    can! :read_container_image
+    can! :download_code
+
+    # Allow to read builds by anonymous user if guests are allowed
+    can! :read_build if project.public_builds?
+
+    disabled_features!
+  end
+
+  def project_group_member?(user)
     project.group &&
     (
-      project.group.members.exists?(user_id: @user.id) ||
-      project.group.requesters.exists?(user_id: @user.id)
+      project.group.members.exists?(user_id: user.id) ||
+      project.group.requesters.exists?(user_id: user.id)
     )
   end
author	http://jneen.net/ <jneen@jneen.net>	2016-08-12 21:36:16 +0300
committer	http://jneen.net/ <jneen@jneen.net>	2016-08-30 21:39:22 +0300
commit	1ca9b3354a350b83d1e025b3d46280bc5bb60f2b (patch)
tree	02d4eb19aa65547badc63f7d41c5adbd2fe5439b /app/policies/project_policy.rb
parent	29b1623a3615fb7683702f4de2dfeafca10f9c1c (diff)