gitlabhq/app/models/ability.rb

class Ability
  class << self
    def allowed(object, subject)
      case subject.class.name
      when "Project" then project_abilities(object, subject)
      when "Issue" then issue_abilities(object, subject)
      when "Note" then note_abilities(object, subject)
      when "Snippet" then snippet_abilities(object, subject)
      when "MergeRequest" then merge_request_abilities(object, subject)
      when "Group" then group_abilities(object, subject)
      else []
      end
    end

    def project_abilities(user, project)
      rules = []

      # Rules based on role in project
      if project.master_access_for?(user)
        rules << project_master_rules

      elsif project.dev_access_for?(user)
        rules << project_dev_rules

      elsif project.report_access_for?(user)
        rules << project_report_rules

      elsif project.guest_access_for?(user)
        rules << project_guest_rules
      end

      if project.owner == user
        rules << project_admin_rules
      end

      rules.flatten
    end

    def project_guest_rules
      [
        :read_project,
        :read_wiki,
        :read_issue,
        :read_milestone,
        :read_snippet,
        :read_team_member,
        :read_merge_request,
        :read_note,
        :write_project,
        :write_issue,
        :write_note
      ]
    end

    def project_report_rules
      project_guest_rules + [
        :download_code,
        :write_merge_request,
        :write_snippet
      ]
    end

    def project_dev_rules
      project_report_rules + [
        :write_wiki,
        :push_code
      ]
    end

    def project_master_rules
      project_dev_rules + [
        :push_code_to_protected_branches,
        :modify_issue,
        :modify_snippet,
        :modify_merge_request,
        :admin_issue,
        :admin_milestone,
        :admin_snippet,
        :admin_team_member,
        :admin_merge_request,
        :admin_note,
        :accept_mr,
        :admin_wiki,
        :admin_project
      ]
    end

    def project_admin_rules
      project_master_rules + [
        :change_namespace,
        :rename_project,
        :remove_project
      ]
    end

    def group_abilities user, group
      rules = []

      # Only group owner and administrators can manage group
      if group.owner == user || user.admin?
        rules << [
          :manage_group
        ]
      end

      rules.flatten
    end

    [:issue, :note, :snippet, :merge_request].each do |name|
      define_method "#{name}_abilities" do |user, subject|
        if subject.author == user
          [
            :"read_#{name}",
            :"write_#{name}",
            :"modify_#{name}",
            :"admin_#{name}"
          ]
        elsif subject.respond_to?(:assignee) && subject.assignee == user
          [
            :"read_#{name}",
            :"write_#{name}",
            :"modify_#{name}",
          ]
        else
          subject.respond_to?(:project) ? project_abilities(user, subject.project) : []
        end
      end
    end
  end
end
init commit 2011-10-08 23:36:38 +02:00			`class Ability`
simple refactoring 2012-10-09 02:10:04 +02:00			`class << self`
			`def allowed(object, subject)`
			`case subject.class.name`
			`when "Project" then project_abilities(object, subject)`
			`when "Issue" then issue_abilities(object, subject)`
			`when "Note" then note_abilities(object, subject)`
			`when "Snippet" then snippet_abilities(object, subject)`
			`when "MergeRequest" then merge_request_abilities(object, subject)`
add ability to change namespace from project edit page 2012-11-24 21:00:30 +01:00			`when "Group" then group_abilities(object, subject)`
simple refactoring 2012-10-09 02:10:04 +02:00			`else []`
			`end`
init commit 2011-10-08 23:36:38 +02:00			`end`

simple refactoring 2012-10-09 02:10:04 +02:00			`def project_abilities(user, project)`
			`rules = []`
init commit 2011-10-08 23:36:38 +02:00
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-29 05:29:11 +01:00			`# Rules based on role in project`
			`if project.master_access_for?(user)`
Only owner of current namespace can change project namespace 2012-12-04 21:06:55 +01:00			`rules << project_master_rules`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-29 05:29:11 +01:00
			`elsif project.dev_access_for?(user)`
			`rules << project_dev_rules`

			`elsif project.report_access_for?(user)`
			`rules << project_report_rules`

			`elsif project.guest_access_for?(user)`
			`rules << project_guest_rules`
			`end`

Fix few bugs and tests after refactoring ownership logic 2013-01-02 18:32:34 +01:00			`if project.owner == user`
			`rules << project_admin_rules`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-29 05:29:11 +01:00			`end`

			`rules.flatten`
			`end`

			`def project_guest_rules`
			`[`
simple refactoring 2012-10-09 02:10:04 +02:00			`:read_project,`
			`:read_wiki,`
			`:read_issue,`
			`:read_milestone,`
			`:read_snippet,`
			`:read_team_member,`
			`:read_merge_request,`
			`:read_note,`
			`:write_project,`
			`:write_issue,`
			`:write_note`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-29 05:29:11 +01:00			`]`
			`end`
Wiki abilities 2012-02-20 19:16:55 +01:00
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-29 05:29:11 +01:00			`def project_report_rules`
			`project_guest_rules + [`
simple refactoring 2012-10-09 02:10:04 +02:00			`:download_code,`
			`:write_merge_request,`
			`:write_snippet`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-29 05:29:11 +01:00			`]`
			`end`
Wiki abilities 2012-02-20 19:16:55 +01:00
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-29 05:29:11 +01:00			`def project_dev_rules`
			`project_report_rules + [`
Security for online editor. Replace dev_access?, master_access? with can? method usage 2012-10-21 11:12:14 +02:00			`:write_wiki,`
			`:push_code`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-29 05:29:11 +01:00			`]`
			`end`
Security for online editor. Replace dev_access?, master_access? with can? method usage 2012-10-21 11:12:14 +02:00
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-29 05:29:11 +01:00			`def project_master_rules`
			`project_dev_rules + [`
			`:push_code_to_protected_branches,`
simple refactoring 2012-10-09 02:10:04 +02:00			`:modify_issue,`
			`:modify_snippet,`
			`:modify_merge_request,`
			`:admin_issue,`
			`:admin_milestone,`
			`:admin_snippet,`
			`:admin_team_member,`
			`:admin_merge_request,`
			`:admin_note,`
			`:accept_mr,`
Only owner of current namespace can change project namespace 2012-12-04 21:06:55 +01:00			`:admin_wiki,`
			`:admin_project`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-29 05:29:11 +01:00			`]`
			`end`
init commit 2011-10-08 23:36:38 +02:00
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-29 05:29:11 +01:00			`def project_admin_rules`
			`project_master_rules + [`
Only owner of current namespace can change project namespace 2012-12-04 21:06:55 +01:00			`:change_namespace,`
Admin can move project to ANY namespace. Updated permissions page 2012-12-04 21:48:24 +01:00			`:rename_project,`
			`:remove_project`
Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces 2012-11-29 05:29:11 +01:00			`]`
simple refactoring 2012-10-09 02:10:04 +02:00			`end`
security improved 2011-10-17 12:39:03 +02:00
add ability to change namespace from project edit page 2012-11-24 21:00:30 +01:00			`def group_abilities user, group`
			`rules = []`

Fix #2375. Admin and owner can manage groups 2013-01-02 17:57:02 +01:00			`# Only group owner and administrators can manage group`
			`if group.owner == user \|\| user.admin?`
			`rules << [`
			`:manage_group`
			`]`
			`end`
add ability to change namespace from project edit page 2012-11-24 21:00:30 +01:00
			`rules.flatten`
			`end`

Wiki abilities 2012-02-20 19:16:55 +01:00			`[:issue, :note, :snippet, :merge_request].each do \|name\|`
security improved 2011-10-17 12:39:03 +02:00			`define_method "#{name}_abilities" do \|user, subject\|`
			`if subject.author == user`
			`[`
			`:"read_#{name}",`
			`:"write_#{name}",`
Abilities refactoring 2011-12-15 22:57:46 +01:00			`:"modify_#{name}",`
security improved 2011-10-17 12:39:03 +02:00			`:"admin_#{name}"`
			`]`
Abilities extended. Resources security improved 2012-02-21 23:31:18 +01:00			`elsif subject.respond_to?(:assignee) && subject.assignee == user`
			`[`
			`:"read_#{name}",`
			`:"write_#{name}",`
			`:"modify_#{name}",`
			`]`
security improved 2011-10-17 12:39:03 +02:00			`else`
simple refactoring 2012-10-09 02:10:04 +02:00			`subject.respond_to?(:project) ? project_abilities(user, subject.project) : []`
security improved 2011-10-17 12:39:03 +02:00			`end`
			`end`
			`end`
			`end`
init commit 2011-10-08 23:36:38 +02:00			`end`