1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
|
# frozen_string_literal: true
module ProtectedRefAccess
extend ActiveSupport::Concern
class_methods do
def human_access_levels
{
Gitlab::Access::DEVELOPER => 'Developers + Maintainers',
Gitlab::Access::MAINTAINER => 'Maintainers',
Gitlab::Access::ADMIN => 'Instance admins',
Gitlab::Access::NO_ACCESS => 'No one'
}.slice(*allowed_access_levels)
end
def allowed_access_levels
levels = [
Gitlab::Access::DEVELOPER,
Gitlab::Access::MAINTAINER,
Gitlab::Access::ADMIN,
Gitlab::Access::NO_ACCESS
]
return levels unless Gitlab.com?
levels.excluding(Gitlab::Access::ADMIN)
end
def humanize(access_level)
human_access_levels[access_level]
end
def non_role_types
[]
end
end
included do
scope :maintainer, -> { where(access_level: Gitlab::Access::MAINTAINER) }
scope :developer, -> { where(access_level: Gitlab::Access::DEVELOPER) }
scope :for_role, -> {
if non_role_types.present?
where.missing(*non_role_types)
.allow_cross_joins_across_databases(url: "https://gitlab.com/gitlab-org/gitlab/-/issues/417457")
else
all
end
}
protected_ref_fk = "#{module_parent.model_name.singular}_id"
validates :access_level,
presence: true,
inclusion: { in: allowed_access_levels },
uniqueness: { scope: protected_ref_fk, conditions: -> { for_role } },
if: :role?
end
def humanize
self.class.humanize(access_level)
end
def type
:role
end
def role?
type == :role
end
def check_access(current_user)
return false if current_user.nil? || no_access?
return current_user.admin? if admin_access?
return false if Feature.enabled?(:check_membership_in_protected_ref_access) && !project.member?(current_user)
yield if block_given?
user_can_access?(current_user)
end
private
def admin_access?
role? && access_level == ::Gitlab::Access::ADMIN
end
def no_access?
role? && access_level == Gitlab::Access::NO_ACCESS
end
def user_can_access?(current_user)
current_user.can?(:push_code, project) &&
project.team.max_member_access(current_user.id) >= access_level
end
end
ProtectedRefAccess.include_mod_with('ProtectedRefAccess::Scopes')
ProtectedRefAccess.prepend_mod_with('ProtectedRefAccess')
# When using `prepend` (or `include` for that matter), the `ClassMethods`
# constants are not merged. This means that `class_methods` in
# `EE::ProtectedRefAccess` would be ignored.
#
# To work around this, we prepend the `ClassMethods` constant manually.
ProtectedRefAccess::ClassMethods.prepend_mod_with('ProtectedRefAccess::ClassMethods')
|