app/models/concerns/has_user_type.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

# frozen_string_literal: true

module HasUserType
  extend ActiveSupport::Concern

  USER_TYPES = {
    human: 0,
    support_bot: 1,
    alert_bot: 2,
    visual_review_bot: 3,
    service_user: 4,
    ghost: 5,
    project_bot: 6,
    migration_bot: 7,
    security_bot: 8,
    automation_bot: 9,
    security_policy_bot: 10,
    admin_bot: 11,
    suggested_reviewers_bot: 12,
    service_account: 13,
    llm_bot: 14
  }.with_indifferent_access.freeze

  BOT_USER_TYPES = %w[
    alert_bot
    project_bot
    support_bot
    visual_review_bot
    migration_bot
    security_bot
    automation_bot
    security_policy_bot
    admin_bot
    suggested_reviewers_bot
    service_account
    llm_bot
  ].freeze

  # `service_account` allows instance/namespaces to configure a user for external integrations/automations
  # `service_user` is an internal, `gitlab-com`-specific user type for integrations like suggested reviewers
  NON_INTERNAL_USER_TYPES = %w[human project_bot service_user service_account].freeze
  INTERNAL_USER_TYPES = (USER_TYPES.keys - NON_INTERNAL_USER_TYPES).freeze

  included do
    enum user_type: USER_TYPES

    scope :bots, -> { where(user_type: BOT_USER_TYPES) }
    scope :without_bots, -> { where(user_type: USER_TYPES.keys - BOT_USER_TYPES) }
    scope :non_internal, -> { where(user_type: NON_INTERNAL_USER_TYPES) }
    scope :without_ghosts, -> { where(user_type: USER_TYPES.keys - ['ghost']) }
    scope :without_project_bot, -> { where(user_type: USER_TYPES.keys - ['project_bot']) }
    scope :human_or_service_user, -> { where(user_type: %i[human service_user]) }

    validates :user_type, presence: true
  end

  def bot?
    BOT_USER_TYPES.include?(user_type)
  end

  def internal?
    INTERNAL_USER_TYPES.include?(user_type)
  end

  def redacted_name(viewing_user)
    return self.name unless self.project_bot?

    return self.name if self.groups.any? && viewing_user&.can?(:read_group, self.groups.first)

    return self.name if viewing_user&.can?(:read_project, self.projects.first)

    # If the requester does not have permission to read the project bot name,
    # the API returns an arbitrary string. UI changes will be addressed in a follow up issue:
    # https://gitlab.com/gitlab-org/gitlab/-/issues/346058
    '****'
  end

  def resource_bot_resource
    return unless project_bot?

    projects&.first || groups&.first
  end

  def resource_bot_owners
    return [] unless project_bot?

    resource = resource_bot_resource
    return [] unless resource

    return resource.maintainers if resource.is_a?(Project)

    resource.owners
  end
end