diff options
| author | Michael Kozono <mkozono@gmail.com> | 2017-09-02 04:00:46 +0300 |
|---|---|---|
| committer | Michael Kozono <mkozono@gmail.com> | 2017-09-06 22:07:20 +0300 |
| commit | 6c57734677746aa0e6695aa75990a85a7f95b50d (patch) | |
| tree | 792a4a0a0a8856ca4702c4464862b53d4bd9461b /app/policies | |
| parent | 1cc7f4a45d9e9fdf1943eb92d3cd2071ba497337 (diff) | |
Enforce share_with_group_lock rules
…in Groups::UpdateService instead of only in the browser.
Diffstat (limited to 'app/policies')
| -rw-r--r-- | app/policies/group_policy.rb | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 8ada661e571..dab27bbf6da 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -15,6 +15,9 @@ class GroupPolicy < BasePolicy condition(:nested_groups_supported, scope: :global) { Group.supports_nested_groups? } + condition(:parent_share_locked) { @subject.has_parent? && @subject.parent.share_with_group_lock? } + condition(:parent_owner) { @subject.has_parent? && @subject.parent.has_owner?(@user) } + condition(:has_projects) do GroupProjectsFinder.new(group: @subject, current_user: @user).execute.any? end @@ -54,6 +57,8 @@ class GroupPolicy < BasePolicy rule { ~can?(:view_globally) }.prevent :request_access rule { has_access }.prevent :request_access + rule { owner & (~parent_share_locked | parent_owner) }.enable :change_share_with_group_lock + def access_level return GroupMember::NO_ACCESS if @user.nil? |