From 8ee1927db90d43205b4e6f8bd13f209c74b41bd1 Mon Sep 17 00:00:00 2001
From: Pavel Shutsin <pshutsin@gitlab.com>
Date: Mon, 18 Mar 2019 17:36:34 +0300
Subject: Move out link\unlink ability checks to a policy

We can extend the policy in EE for additional behavior
---
 app/policies/identity_provider_policy.rb | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 app/policies/identity_provider_policy.rb

(limited to 'app/policies/identity_provider_policy.rb')

diff --git a/app/policies/identity_provider_policy.rb b/app/policies/identity_provider_policy.rb
new file mode 100644
index 00000000000..d34cdd5bdd4
--- /dev/null
+++ b/app/policies/identity_provider_policy.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+class IdentityProviderPolicy < BasePolicy
+  desc "Provider is SAML or CAS3"
+  condition(:protected_provider, scope: :subject, score: 0) { %w(saml cas3).include?(@subject.to_s) }
+
+  rule { anonymous }.prevent_all
+
+  rule { default }.policy do
+    enable :unlink
+    enable :link
+  end
+
+  rule { protected_provider }.prevent(:unlink)
+end
-- 
cgit v1.2.3