ability.rb 14.3 KB
Newer Older
G
gitlabhq 已提交
1
class Ability
A
Andrey Kumanyaev 已提交
2
  class << self
3
    def allowed(user, subject)
4
      return anonymous_abilities(user, subject) if user.nil?
D
Douwe Maan 已提交
5
      return [] unless user.is_a?(User)
6
      return [] if user.blocked?
7

8 9 10 11 12 13 14 15 16 17 18 19
      case subject
      when CommitStatus then commit_status_abilities(user, subject)
      when Project then project_abilities(user, subject)
      when Issue then issue_abilities(user, subject)
      when Note then note_abilities(user, subject)
      when ProjectSnippet then project_snippet_abilities(user, subject)
      when PersonalSnippet then personal_snippet_abilities(user, subject)
      when MergeRequest then merge_request_abilities(user, subject)
      when Group then group_abilities(user, subject)
      when Namespace then namespace_abilities(user, subject)
      when GroupMember then group_member_abilities(user, subject)
      when ProjectMember then project_member_abilities(user, subject)
F
Felipe Artur 已提交
20
      when User then user_abilities
21
      when ExternalIssue, Deployment, Environment then project_abilities(user, subject.project)
J
James Lopez 已提交
22
      else []
23 24 25
      end.concat(global_abilities(user))
    end

Y
Yorick Peterse 已提交
26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
    # Given a list of users and a project this method returns the users that can
    # read the given project.
    def users_that_can_read_project(users, project)
      if project.public?
        users
      else
        users.select do |user|
          if user.admin?
            true
          elsif project.internal? && !user.external?
            true
          elsif project.owner == user
            true
          elsif project.team.members.include?(user)
            true
          else
            false
          end
        end
      end
    end

48 49
    # List of possible abilities for anonymous user
    def anonymous_abilities(user, subject)
50
      if subject.is_a?(PersonalSnippet)
51
        anonymous_personal_snippet_abilities(subject)
52
      elsif subject.is_a?(ProjectSnippet)
53
        anonymous_project_snippet_abilities(subject)
54
      elsif subject.is_a?(CommitStatus)
K
Kamil Trzcinski 已提交
55
        anonymous_commit_status_abilities(subject)
56
      elsif subject.is_a?(Project) || subject.respond_to?(:project)
57
        anonymous_project_abilities(subject)
58
      elsif subject.is_a?(Group) || subject.respond_to?(:group)
59
        anonymous_group_abilities(subject)
60
      elsif subject.is_a?(User)
F
Felipe Artur 已提交
61
        anonymous_user_abilities
D
Douwe Maan 已提交
62 63 64
      else
        []
      end
65 66
    end

67
    def anonymous_project_abilities(subject)
D
Douwe Maan 已提交
68
      project = if subject.is_a?(Project)
69 70
                  subject
                else
71
                  subject.project
72 73
                end

74
      if project && project.public?
75
        rules = [
76 77
          :read_project,
          :read_wiki,
78
          :read_label,
79 80
          :read_milestone,
          :read_project_snippet,
81
          :read_project_member,
82 83
          :read_merge_request,
          :read_note,
84
          :read_pipeline,
85
          :read_commit_status,
K
Kamil Trzcinski 已提交
86
          :read_container_image,
87 88
          :download_code
        ]
89

K
Kamil Trzcinski 已提交
90
        # Allow to read builds by anonymous user if guests are allowed
91
        rules << :read_build if project.public_builds?
92

93 94 95
        # Allow to read issues by anonymous user if issue is not confidential
        rules << :read_issue unless subject.is_a?(Issue) && subject.confidential?

96
        rules - project_disabled_features_rules(project)
97
      else
98 99 100
        []
      end
    end
101

K
Kamil Trzcinski 已提交
102 103 104 105 106 107 108
    def anonymous_commit_status_abilities(subject)
      rules = anonymous_project_abilities(subject.project)
      # If subject is Ci::Build which inherits from CommitStatus filter the abilities
      rules = filter_build_abilities(rules) if subject.is_a?(Ci::Build)
      rules
    end

109
    def anonymous_group_abilities(subject)
F
Felipe Artur 已提交
110 111
      rules = []

D
Douwe Maan 已提交
112
      group = if subject.is_a?(Group)
113 114 115 116 117
                subject
              else
                subject.group
              end

F
Felipe Artur 已提交
118
      rules << :read_group if group.public?
F
Felipe Artur 已提交
119 120

      rules
121 122
    end

123
    def anonymous_personal_snippet_abilities(snippet)
124 125 126 127
      if snippet.public?
        [:read_personal_snippet]
      else
        []
128 129 130
      end
    end

131 132 133 134 135 136 137 138
    def anonymous_project_snippet_abilities(snippet)
      if snippet.public?
        [:read_project_snippet]
      else
        []
      end
    end

F
Felipe Artur 已提交
139 140
    def anonymous_user_abilities
      [:read_user] unless restricted_public_level?
F
Felipe Artur 已提交
141 142
    end

143 144 145
    def global_abilities(user)
      rules = []
      rules << :create_group if user.can_create_group
146
      rules << :read_users_list
147
      rules
G
gitlabhq 已提交
148 149
    end

A
Andrey Kumanyaev 已提交
150 151
    def project_abilities(user, project)
      rules = []
S
skv-headless 已提交
152
      key = "/user/#{user.id}/project/#{project.id}"
153

S
skv-headless 已提交
154
      RequestStore.store[key] ||= begin
Z
Zeger-Jan van de Weg 已提交
155
        # Push abilities on the users team role
R
Rémy Coutable 已提交
156
        rules.push(*project_team_rules(project.team, user))
G
gitlabhq 已提交
157

D
Douwe Maan 已提交
158 159 160 161 162 163 164
        if project.owner == user ||
          (project.group && project.group.has_owner?(user)) ||
          user.admin?

          rules.push(*project_owner_rules)
        end

Z
Zeger-Jan van de Weg 已提交
165
        if project.public? || (project.internal? && !user.external?)
166
          rules.push(*public_project_rules)
167

168
          # Allow to read builds for internal projects
169
          rules << :read_build if project.public_builds?
S
skv-headless 已提交
170
        end
171

S
skv-headless 已提交
172 173 174
        if project.archived?
          rules -= project_archived_rules
        end
175

176
        rules - project_disabled_features_rules(project)
177
      end
178 179
    end

Z
Zeger-Jan van de Weg 已提交
180 181 182 183 184 185 186 187 188 189
    def project_team_rules(team, user)
      # Rules based on role in project
      if team.master?(user)
        project_master_rules
      elsif team.developer?(user)
        project_dev_rules
      elsif team.reporter?(user)
        project_report_rules
      elsif team.guest?(user)
        project_guest_rules
R
Rémy Coutable 已提交
190 191
      else
        []
Z
Zeger-Jan van de Weg 已提交
192 193 194
      end
    end

195
    def public_project_rules
J
Jason Lee 已提交
196
      @public_project_rules ||= project_guest_rules + [
197
        :download_code,
198
        :fork_project,
F
Felipe Artur 已提交
199
        :read_commit_status
200 201 202
      ]
    end

203
    def project_guest_rules
J
Jason Lee 已提交
204
      @project_guest_rules ||= [
A
Andrey Kumanyaev 已提交
205 206 207
        :read_project,
        :read_wiki,
        :read_issue,
208
        :read_label,
A
Andrey Kumanyaev 已提交
209
        :read_milestone,
A
Andrew8xx8 已提交
210
        :read_project_snippet,
211
        :read_project_member,
A
Andrey Kumanyaev 已提交
212 213
        :read_merge_request,
        :read_note,
214 215
        :create_project,
        :create_issue,
D
Douwe Maan 已提交
216 217
        :create_note,
        :upload_file
218 219
      ]
    end
D
Dmitriy Zaporozhets 已提交
220

221
    def project_report_rules
J
Jason Lee 已提交
222
      @project_report_rules ||= project_guest_rules + [
A
Andrey Kumanyaev 已提交
223
        :download_code,
224
        :fork_project,
225 226 227
        :create_project_snippet,
        :update_issue,
        :admin_issue,
228
        :admin_label,
229
        :read_commit_status,
230
        :read_build,
K
Kamil Trzcinski 已提交
231
        :read_container_image,
K
WIP  
Kamil Trzcinski 已提交
232
        :read_pipeline,
233 234
        :read_environment,
        :read_deployment
235 236
      ]
    end
D
Dmitriy Zaporozhets 已提交
237

238
    def project_dev_rules
J
Jason Lee 已提交
239
      @project_dev_rules ||= project_report_rules + [
240
        :admin_merge_request,
241
        :update_merge_request,
242 243 244 245
        :create_commit_status,
        :update_commit_status,
        :create_build,
        :update_build,
K
WIP  
Kamil Trzcinski 已提交
246 247
        :create_pipeline,
        :update_pipeline,
248 249
        :create_merge_request,
        :create_wiki,
250
        :push_code,
K
Kamil Trzcinski 已提交
251 252
        :create_container_image,
        :update_container_image,
253
        :create_environment,
254
        :create_deployment
255 256
      ]
    end
257

258
    def project_archived_rules
J
Jason Lee 已提交
259
      @project_archived_rules ||= [
260
        :create_merge_request,
261 262
        :push_code,
        :push_code_to_protected_branches,
263
        :update_merge_request,
264 265 266 267
        :admin_merge_request
      ]
    end

268
    def project_master_rules
J
Jason Lee 已提交
269
      @project_master_rules ||= project_dev_rules + [
270
        :push_code_to_protected_branches,
271
        :update_project_snippet,
K
Kamil Trzcinski 已提交
272
        :update_environment,
273
        :update_deployment,
A
Andrey Kumanyaev 已提交
274
        :admin_milestone,
A
Andrew8xx8 已提交
275
        :admin_project_snippet,
276
        :admin_project_member,
A
Andrey Kumanyaev 已提交
277 278
        :admin_merge_request,
        :admin_note,
279
        :admin_wiki,
280 281
        :admin_project,
        :admin_commit_status,
K
WIP  
Kamil Trzcinski 已提交
282
        :admin_build,
K
Kamil Trzcinski 已提交
283
        :admin_container_image,
284 285 286
        :admin_pipeline,
        :admin_environment,
        :admin_deployment
287 288
      ]
    end
G
gitlabhq 已提交
289

D
Douwe Maan 已提交
290 291
    def project_owner_rules
      @project_owner_rules ||= project_master_rules + [
292
        :change_namespace,
293
        :change_visibility_level,
294
        :rename_project,
295
        :remove_project,
296
        :archive_project,
297
        :remove_fork_project,
298 299
        :destroy_merge_request,
        :destroy_issue
300
      ]
A
Andrey Kumanyaev 已提交
301
    end
G
gitlabhq 已提交
302

303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326
    def project_disabled_features_rules(project)
      rules = []

      unless project.issues_enabled
        rules += named_abilities('issue')
      end

      unless project.merge_requests_enabled
        rules += named_abilities('merge_request')
      end

      unless project.issues_enabled or project.merge_requests_enabled
        rules += named_abilities('label')
        rules += named_abilities('milestone')
      end

      unless project.snippets_enabled
        rules += named_abilities('project_snippet')
      end

      unless project.wiki_enabled
        rules += named_abilities('wiki')
      end

327 328
      unless project.builds_enabled
        rules += named_abilities('build')
K
WIP  
Kamil Trzcinski 已提交
329
        rules += named_abilities('pipeline')
330 331
        rules += named_abilities('environment')
        rules += named_abilities('deployment')
332 333
      end

334
      unless project.container_registry_enabled
K
Kamil Trzcinski 已提交
335
        rules += named_abilities('container_image')
336 337
      end

338 339 340
      rules
    end

341
    def group_abilities(user, group)
342
      rules = []
F
Felipe Artur 已提交
343
      rules << :read_group if can_read_group?(user, group)
344

D
Douwe Maan 已提交
345
      # Only group masters and group owners can create new projects
346
      if group.has_master?(user) || group.has_owner?(user) || user.admin?
347
        rules += [
348
          :create_projects,
F
Felipe Artur 已提交
349
          :admin_milestones
350
        ]
351 352
      end

353
      # Only group owner and administrators can admin group
354
      if group.has_owner?(user) || user.admin?
D
Douwe Maan 已提交
355 356 357
        rules += [
          :admin_group,
          :admin_namespace,
F
Felipe Artur 已提交
358 359
          :admin_group_member,
          :change_visibility_level
D
Douwe Maan 已提交
360
        ]
361
      end
362 363 364 365

      rules.flatten
    end

F
Felipe Artur 已提交
366
    def can_read_group?(user, group)
D
Douwe Maan 已提交
367 368 369 370 371 372
      return true if user.admin?
      return true if group.public?
      return true if group.internal? && !user.external?
      return true if group.users.include?(user)

      GroupProjectsFinder.new(group).execute(user).any?
F
Felipe Artur 已提交
373 374
    end

375
    def namespace_abilities(user, namespace)
376 377
      rules = []

378
      # Only namespace owner and administrators can admin it
379
      if namespace.owner == user || user.admin?
D
Douwe Maan 已提交
380 381 382 383
        rules += [
          :create_projects,
          :admin_namespace
        ]
384 385 386 387 388
      end

      rules.flatten
    end

389
    [:issue, :merge_request].each do |name|
G
gitlabhq 已提交
390
      define_method "#{name}_abilities" do |user, subject|
391 392 393 394
        rules = []

        if subject.author == user || (subject.respond_to?(:assignee) && subject.assignee == user)
          rules += [
G
gitlabhq 已提交
395
            :"read_#{name}",
396
            :"update_#{name}",
G
gitlabhq 已提交
397
          ]
398 399 400
        end

        rules += project_abilities(user, subject.project)
401
        rules = filter_confidential_issues_abilities(user, subject, rules) if subject.is_a?(Issue)
402 403 404 405
        rules
      end
    end

406 407
    def note_abilities(user, note)
      rules = []
408

409 410 411 412 413 414 415
      if note.author == user
        rules += [
          :read_note,
          :update_note,
          :admin_note
        ]
      end
416

417 418
      if note.respond_to?(:project) && note.project
        rules += project_abilities(user, note.project)
G
gitlabhq 已提交
419
      end
420 421

      rules
G
gitlabhq 已提交
422
    end
423

424 425 426 427 428 429 430 431 432 433 434
    def personal_snippet_abilities(user, snippet)
      rules = []

      if snippet.author == user
        rules += [
          :read_personal_snippet,
          :update_personal_snippet,
          :admin_personal_snippet
        ]
      end

Z
Zeger-Jan van de Weg 已提交
435
      if snippet.public? || (snippet.internal? && !user.external?)
J
Jason Lee 已提交
436
        rules << :read_personal_snippet
437 438 439 440 441
      end

      rules
    end

442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459
    def project_snippet_abilities(user, snippet)
      rules = []

      if snippet.author == user || user.admin?
        rules += [
          :read_project_snippet,
          :update_project_snippet,
          :admin_project_snippet
        ]
      end

      if snippet.public? || (snippet.internal? && !user.external?) || (snippet.private? && snippet.project.team.member?(user))
        rules << :read_project_snippet
      end

      rules
    end

460
    def group_member_abilities(user, subject)
461 462 463
      rules = []
      target_user = subject.user
      group = subject.group
464

D
Douwe Maan 已提交
465 466
      unless group.last_owner?(target_user)
        can_manage = group_abilities(user, group).include?(:admin_group_member)
467

468
        if can_manage
D
Douwe Maan 已提交
469 470
          rules << :update_group_member
          rules << :destroy_group_member
471
        elsif user == target_user
D
Douwe Maan 已提交
472 473
          rules << :destroy_group_member
        end
474
      end
475

476 477
      rules
    end
C
Ciro Santilli 已提交
478

479 480 481 482 483
    def project_member_abilities(user, subject)
      rules = []
      target_user = subject.user
      project = subject.project

D
Douwe Maan 已提交
484 485
      unless target_user == project.owner
        can_manage = project_abilities(user, project).include?(:admin_project_member)
486

487
        if can_manage
D
Douwe Maan 已提交
488 489
          rules << :update_project_member
          rules << :destroy_project_member
490
        elsif user == target_user
D
Douwe Maan 已提交
491 492
          rules << :destroy_project_member
        end
493
      end
D
Douwe Maan 已提交
494

495 496 497
      rules
    end

K
Kamil Trzcinski 已提交
498 499 500 501 502 503 504
    def commit_status_abilities(user, subject)
      rules = project_abilities(user, subject.project)
      # If subject is Ci::Build which inherits from CommitStatus filter the abilities
      rules = filter_build_abilities(rules) if subject.is_a?(Ci::Build)
      rules
    end

505 506 507
    def filter_build_abilities(rules)
      # If we can't read build we should also not have that
      # ability when looking at this in context of commit_status
508
      %w(read create update admin).each do |rule|
509
        rules.delete(:"#{rule}_commit_status") unless rules.include?(:"#{rule}_build")
510 511 512 513
      end
      rules
    end

F
Felipe Artur 已提交
514
    def user_abilities
F
Felipe Artur 已提交
515 516 517
      [:read_user]
    end

C
Ciro Santilli 已提交
518 519
    def abilities
      @abilities ||= begin
520 521 522 523
        abilities = Six.new
        abilities << self
        abilities
      end
C
Ciro Santilli 已提交
524
    end
525 526 527

    private

F
Felipe Artur 已提交
528
    def restricted_public_level?
F
Felipe Artur 已提交
529
      current_application_settings.restricted_visibility_levels.include?(Gitlab::VisibilityLevel::PUBLIC)
F
Felipe Artur 已提交
530 531
    end

532 533 534
    def named_abilities(name)
      [
        :"read_#{name}",
535 536
        :"create_#{name}",
        :"update_#{name}",
537 538 539
        :"admin_#{name}"
      ]
    end
540 541 542 543

    def filter_confidential_issues_abilities(user, issue, rules)
      return rules if user.admin? || !issue.confidential?

544
      unless issue.author == user || issue.assignee == user || issue.project.team.member?(user, Gitlab::Access::REPORTER)
545 546 547 548 549 550 551
        rules.delete(:admin_issue)
        rules.delete(:read_issue)
        rules.delete(:update_issue)
      end

      rules
    end
G
gitlabhq 已提交
552
  end
G
gitlabhq 已提交
553
end