class Ability class << self # Given a list of users and a project this method returns the users that can # read the given project. def users_that_can_read_project(users, project) if project.public? users else do |user| if user.admin? true elsif project.internal? && !user.external? true elsif project.owner == user true elsif true else false end end end end # Given a list of users and a snippet this method returns the users that can # read the given snippet. def users_that_can_read_personal_snippet(users, snippet) case snippet.visibility_level when Snippet::INTERNAL, Snippet::PUBLIC users when Snippet::PRIVATE users.include?( ? [] : [] end end # Returns an Array of Issues that can be read by the given user. # # issues - The issues to reduce down to those readable by the user. # user - The User for which to check the issues def issues_readable_by_user(issues, user = nil) return issues if user && user.admin? { |issue| issue.visible_to_user?(user) } end # TODO: make this private and use the actual abilities stuff for this def can_edit_note?(user, note) return false if !note.editable? || !user.present? return true if == user || user.admin? if note.project max_access_level = max_access_level >= Gitlab::Access::MASTER else false end end def allowed?(user, action, subject) allowed(user, subject).include?(action) end def allowed(user, subject) return uncached_allowed(user, subject) unless user_key = user ? : 'anonymous' subject_key = subject ? "#{}/#{}" : 'global' key = "/ability/#{user_key}/#{subject_key}" RequestStore[key] ||= uncached_allowed(user, subject).freeze end private def uncached_allowed(user, subject) BasePolicy.class_for(subject).abilities(user, subject) end end end