diff options
| author | Andreas Brandl <abrandl@gitlab.com> | 2019-04-05 16:02:56 +0300 |
|---|---|---|
| committer | Andreas Brandl <abrandl@gitlab.com> | 2019-04-05 16:02:56 +0300 |
| commit | 46b1b9c1d61c269588bd3cd4203420608ddd7f0b (patch) | |
| tree | a877f5366d3367e1264e96f3f5e8a4b23bdbd62a /app/policies | |
| parent | 7a48a06cf3b454021aa466464686fee8c82d6862 (diff) | |
Revert "Merge branch 'if-57131-external_auth_to_ce' into 'master'"
This reverts merge request !26823
Diffstat (limited to 'app/policies')
| -rw-r--r-- | app/policies/base_policy.rb | 9 | ||||
| -rw-r--r-- | app/policies/project_policy.rb | 28 |
2 files changed, 1 insertions, 36 deletions
diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb index 5dd2279ef99..72de04203a6 100644 --- a/app/policies/base_policy.rb +++ b/app/policies/base_policy.rb @@ -22,13 +22,6 @@ class BasePolicy < DeclarativePolicy::Base Gitlab::CurrentSettings.current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC) end - condition(:external_authorization_enabled, scope: :global, score: 0) do - ::Gitlab::ExternalAuthorization.perform_check? - end - - rule { external_authorization_enabled & ~full_private_access }.policy do - prevent :read_cross_project - end - + # This is prevented in some cases in `gitlab-ee` rule { default }.enable :read_cross_project end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index ba38af9c529..26d7d6e84c4 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -89,15 +89,6 @@ class ProjectPolicy < BasePolicy ::Gitlab::CurrentSettings.current_application_settings.mirror_available end - with_scope :subject - condition(:classification_label_authorized, score: 32) do - ::Gitlab::ExternalAuthorization.access_allowed?( - @user, - @subject.external_authorization_classification_label, - @subject.full_path - ) - end - # We aren't checking `:read_issue` or `:read_merge_request` in this case # because it could be possible for a user to see an issuable-iid # (`:read_issue_iid` or `:read_merge_request_iid`) but then wouldn't be @@ -426,25 +417,6 @@ class ProjectPolicy < BasePolicy rule { ~can_have_multiple_clusters & has_clusters }.prevent :add_cluster - rule { ~can?(:read_cross_project) & ~classification_label_authorized }.policy do - # Preventing access here still allows the projects to be listed. Listing - # projects doesn't check the `:read_project` ability. But instead counts - # on the `project_authorizations` table. - # - # All other actions should explicitly check read project, which would - # trigger the `classification_label_authorized` condition. - # - # `:read_project_for_iids` is not prevented by this condition, as it is - # used for cross-project reference checks. - prevent :guest_access - prevent :public_access - prevent :public_user_access - prevent :reporter_access - prevent :developer_access - prevent :maintainer_access - prevent :owner_access - end - private def team_member? |