Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
1ca9b335
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
1ca9b335
编写于
8月 12, 2016
作者:
H
http://jneen.net/
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
add support for anonymous abilities
上级
29b1623a
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
67 addition
and
205 deletion
+67
-205
app/models/ability.rb
app/models/ability.rb
+6
-188
app/policies/base_policy.rb
app/policies/base_policy.rb
+22
-4
app/policies/project_policy.rb
app/policies/project_policy.rb
+39
-13
未找到文件。
app/models/ability.rb
浏览文件 @
1ca9b335
...
...
@@ -71,7 +71,7 @@ class Ability
def
abilities_by_subject_class
(
user
:,
subject
:)
case
subject
when
CommitStatus
then
commit_status_abilities
(
user
,
subject
)
when
Project
then
ProjectPolicy
.
new
(
user
,
subject
).
abilities
when
Project
then
ProjectPolicy
.
abilities
(
user
,
subject
)
when
Issue
then
issue_abilities
(
user
,
subject
)
when
Note
then
note_abilities
(
user
,
subject
)
when
ProjectSnippet
then
project_snippet_abilities
(
user
,
subject
)
...
...
@@ -96,8 +96,10 @@ class Ability
anonymous_project_snippet_abilities
(
subject
)
elsif
subject
.
is_a?
(
CommitStatus
)
anonymous_commit_status_abilities
(
subject
)
elsif
subject
.
is_a?
(
Project
)
||
subject
.
respond_to?
(
:project
)
anonymous_project_abilities
(
subject
)
elsif
subject
.
is_a?
(
Project
)
ProjectPolicy
.
abilities
(
nil
,
subject
)
elsif
subject
.
respond_to?
(
:project
)
ProjectPolicy
.
abilities
(
nil
,
subject
.
project
)
elsif
subject
.
is_a?
(
Group
)
||
subject
.
respond_to?
(
:group
)
anonymous_group_abilities
(
subject
)
elsif
subject
.
is_a?
(
User
)
...
...
@@ -194,174 +196,7 @@ class Ability
def
project_abilities
(
user
,
project
)
# temporary patch, deleteme before merge
ProjectPolicy
.
new
(
user
,
project
).
abilities
.
to_a
end
def
project_team_rules
(
team
,
user
)
# Rules based on role in project
if
team
.
master?
(
user
)
project_master_rules
elsif
team
.
developer?
(
user
)
project_dev_rules
elsif
team
.
reporter?
(
user
)
project_report_rules
elsif
team
.
guest?
(
user
)
project_guest_rules
else
[]
end
end
def
public_project_rules
@public_project_rules
||=
project_guest_rules
+
[
:download_code
,
:fork_project
,
:read_commit_status
,
:read_pipeline
,
:read_container_image
]
end
def
project_guest_rules
@project_guest_rules
||=
[
:read_project
,
:read_wiki
,
:read_issue
,
:read_board
,
:read_list
,
:read_label
,
:read_milestone
,
:read_project_snippet
,
:read_project_member
,
:read_merge_request
,
:read_note
,
:create_project
,
:create_issue
,
:create_note
,
:upload_file
]
end
def
project_report_rules
@project_report_rules
||=
project_guest_rules
+
[
:download_code
,
:fork_project
,
:create_project_snippet
,
:update_issue
,
:admin_issue
,
:admin_label
,
:admin_list
,
:read_commit_status
,
:read_build
,
:read_container_image
,
:read_pipeline
,
:read_environment
,
:read_deployment
]
end
def
project_dev_rules
@project_dev_rules
||=
project_report_rules
+
[
:admin_merge_request
,
:update_merge_request
,
:create_commit_status
,
:update_commit_status
,
:create_build
,
:update_build
,
:create_pipeline
,
:update_pipeline
,
:create_merge_request
,
:create_wiki
,
:push_code
,
:resolve_note
,
:create_container_image
,
:update_container_image
,
:create_environment
,
:create_deployment
]
end
def
project_archived_rules
@project_archived_rules
||=
[
:create_merge_request
,
:push_code
,
:push_code_to_protected_branches
,
:update_merge_request
,
:admin_merge_request
]
end
def
project_master_rules
@project_master_rules
||=
project_dev_rules
+
[
:push_code_to_protected_branches
,
:update_project_snippet
,
:update_environment
,
:update_deployment
,
:admin_milestone
,
:admin_project_snippet
,
:admin_project_member
,
:admin_merge_request
,
:admin_note
,
:admin_wiki
,
:admin_project
,
:admin_commit_status
,
:admin_build
,
:admin_container_image
,
:admin_pipeline
,
:admin_environment
,
:admin_deployment
]
end
def
project_owner_rules
@project_owner_rules
||=
project_master_rules
+
[
:change_namespace
,
:change_visibility_level
,
:rename_project
,
:remove_project
,
:archive_project
,
:remove_fork_project
,
:destroy_merge_request
,
:destroy_issue
]
end
def
project_disabled_features_rules
(
project
)
rules
=
[]
unless
project
.
issues_enabled
rules
+=
named_abilities
(
'issue'
)
end
unless
project
.
merge_requests_enabled
rules
+=
named_abilities
(
'merge_request'
)
end
unless
project
.
issues_enabled
or
project
.
merge_requests_enabled
rules
+=
named_abilities
(
'label'
)
rules
+=
named_abilities
(
'milestone'
)
end
unless
project
.
snippets_enabled
rules
+=
named_abilities
(
'project_snippet'
)
end
unless
project
.
has_wiki?
rules
+=
named_abilities
(
'wiki'
)
end
unless
project
.
builds_enabled
rules
+=
named_abilities
(
'build'
)
rules
+=
named_abilities
(
'pipeline'
)
rules
+=
named_abilities
(
'environment'
)
rules
+=
named_abilities
(
'deployment'
)
end
unless
project
.
container_registry_enabled
rules
+=
named_abilities
(
'container_image'
)
end
rules
ProjectPolicy
.
abilities
(
user
,
project
).
to_a
end
def
group_abilities
(
user
,
group
)
...
...
@@ -569,15 +404,6 @@ class Ability
current_application_settings
.
restricted_visibility_levels
.
include?
(
Gitlab
::
VisibilityLevel
::
PUBLIC
)
end
def
named_abilities
(
name
)
[
:"read_
#{
name
}
"
,
:"create_
#{
name
}
"
,
:"update_
#{
name
}
"
,
:"admin_
#{
name
}
"
]
end
def
filter_confidential_issues_abilities
(
user
,
issue
,
rules
)
return
rules
if
user
.
admin?
||
!
issue
.
confidential?
...
...
@@ -589,13 +415,5 @@ class Ability
rules
end
def
project_group_member?
(
project
,
user
)
project
.
group
&&
(
project
.
group
.
members
.
exists?
(
user_id:
user
.
id
)
||
project
.
group
.
requesters
.
exists?
(
user_id:
user
.
id
)
)
end
end
end
app/policies/base_policy.rb
浏览文件 @
1ca9b335
class
BasePolicy
def
self
.
abilities
(
user
,
subject
)
new
(
user
,
subject
).
abilities
end
attr_reader
:user
,
:subject
def
initialize
(
user
,
subject
)
@user
=
user
@subject
=
subject
end
def
abilities
@can
=
Set
.
new
@cannot
=
Set
.
new
generate!
@can
-
@cannot
return
anonymous_abilities
if
@user
.
nil?
collect_rules
{
rules
}
end
def
anonymous_abilities
collect_rules
{
anonymous_rules
}
end
def
generate!
...
...
@@ -22,4 +29,15 @@ class BasePolicy
def
cannot!
(
*
rules
)
@cannot
.
merge
(
rules
)
end
private
def
collect_rules
(
&
b
)
return
Set
.
new
if
@subject
.
nil?
@can
=
Set
.
new
@cannot
=
Set
.
new
yield
@can
-
@cannot
end
end
app/policies/project_policy.rb
浏览文件 @
1ca9b335
...
...
@@ -28,6 +28,7 @@ class ProjectPolicy < BasePolicy
can!
:update_issue
can!
:admin_issue
can!
:admin_label
can!
:admin_list
can!
:read_commit_status
can!
:read_build
can!
:read_container_image
...
...
@@ -48,6 +49,7 @@ class ProjectPolicy < BasePolicy
can!
:create_merge_request
can!
:create_wiki
can!
:push_code
can!
:resolve_note
can!
:create_container_image
can!
:update_container_image
can!
:create_environment
...
...
@@ -98,8 +100,8 @@ class ProjectPolicy < BasePolicy
end
# Push abilities on the users team role
def
team_access!
access
=
project
.
team
.
max_member_access
(
@
user
.
id
)
def
team_access!
(
user
)
access
=
project
.
team
.
max_member_access
(
user
.
id
)
return
if
access
<
Gitlab
::
Access
::
GUEST
guest_access!
...
...
@@ -140,7 +142,7 @@ class ProjectPolicy < BasePolicy
cannot!
(
*
named_abilities
(
:project_snippet
))
end
unless
project
.
wiki_enabled
unless
project
.
has_wiki?
cannot!
(
*
named_abilities
(
:wiki
))
end
...
...
@@ -156,16 +158,16 @@ class ProjectPolicy < BasePolicy
end
end
def
generate!
team_access!
def
rules
team_access!
(
user
)
owner
=
@
user
.
admin?
||
project
.
owner
==
@
user
||
(
project
.
group
&&
project
.
group
.
has_owner?
(
@
user
))
owner
=
user
.
admin?
||
project
.
owner
==
user
||
(
project
.
group
&&
project
.
group
.
has_owner?
(
user
))
owner_access!
if
owner
if
project
.
public?
||
(
project
.
internal?
&&
!
@
user
.
external?
)
if
project
.
public?
||
(
project
.
internal?
&&
!
user
.
external?
)
guest_access!
public_access!
...
...
@@ -173,7 +175,7 @@ class ProjectPolicy < BasePolicy
can!
:read_build
if
project
.
public_builds?
if
project
.
request_access_enabled
&&
!
(
owner
||
project
.
team
.
member?
(
@user
)
||
project_group_member?
)
!
(
owner
||
project
.
team
.
member?
(
user
)
||
project_group_member?
(
user
)
)
can!
:request_access
end
end
...
...
@@ -183,11 +185,35 @@ class ProjectPolicy < BasePolicy
disabled_features!
end
def
project_group_member?
def
anonymous_rules
return
unless
project
.
public?
can!
:read_project
can!
:read_board
can!
:read_list
can!
:read_wiki
can!
:read_label
can!
:read_milestone
can!
:read_project_snippet
can!
:read_project_member
can!
:read_merge_request
can!
:read_note
can!
:read_pipeline
can!
:read_commit_status
can!
:read_container_image
can!
:download_code
# Allow to read builds by anonymous user if guests are allowed
can!
:read_build
if
project
.
public_builds?
disabled_features!
end
def
project_group_member?
(
user
)
project
.
group
&&
(
project
.
group
.
members
.
exists?
(
user_id:
@
user
.
id
)
||
project
.
group
.
requesters
.
exists?
(
user_id:
@
user
.
id
)
project
.
group
.
members
.
exists?
(
user_id:
user
.
id
)
||
project
.
group
.
requesters
.
exists?
(
user_id:
user
.
id
)
)
end
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录