diff options
Diffstat (limited to 'app/policies/group_policy.rb')
-rw-r--r-- | app/policies/group_policy.rb | 34 |
1 files changed, 33 insertions, 1 deletions
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 5e252c8e564..a34217d90dd 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -1,6 +1,7 @@ # frozen_string_literal: true class GroupPolicy < BasePolicy + include CrudPolicyHelpers include FindGroupProjects desc "Group is public" @@ -42,15 +43,23 @@ class GroupPolicy < BasePolicy @subject.subgroup_creation_level == ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS end + desc "Group has wiki disabled" + condition(:wiki_disabled, score: 32) { !feature_available?(:wiki) } + rule { public_group }.policy do enable :read_group enable :read_package + enable :read_wiki end - rule { logged_in_viewable }.enable :read_group + rule { logged_in_viewable }.policy do + enable :read_group + enable :read_wiki + end rule { guest }.policy do enable :read_group + enable :read_wiki enable :upload_file end @@ -78,10 +87,12 @@ class GroupPolicy < BasePolicy enable :create_metrics_dashboard_annotation enable :delete_metrics_dashboard_annotation enable :update_metrics_dashboard_annotation + enable :create_wiki end rule { reporter }.policy do enable :read_container_image + enable :download_wiki_code enable :admin_label enable :admin_list enable :admin_issue @@ -100,6 +111,7 @@ class GroupPolicy < BasePolicy enable :destroy_deploy_token enable :read_deploy_token enable :create_deploy_token + enable :admin_wiki end rule { owner }.policy do @@ -145,6 +157,11 @@ class GroupPolicy < BasePolicy rule { maintainer & can?(:create_projects) }.enable :transfer_projects + rule { wiki_disabled }.policy do + prevent(*create_read_update_admin_destroy(:wiki)) + prevent(:download_wiki_code) + end + def access_level return GroupMember::NO_ACCESS if @user.nil? @@ -154,6 +171,21 @@ class GroupPolicy < BasePolicy def lookup_access_level! @subject.max_member_access_for_user(@user) end + + # TODO: Extract this into a helper shared with ProjectPolicy, once we implement group-level features. + # https://gitlab.com/gitlab-org/gitlab/-/issues/208412 + def feature_available?(feature) + return false unless feature == :wiki + + case @subject.wiki_access_level + when ProjectFeature::DISABLED + false + when ProjectFeature::PRIVATE + admin? || access_level >= ProjectFeature.required_minimum_access_level(feature) + else + true + end + end end GroupPolicy.prepend_if_ee('EE::GroupPolicy') |