Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
李少辉-开发者
gitlab-foss
提交
50f5960c
G
gitlab-foss
项目概览
李少辉-开发者
/
gitlab-foss
通知
15
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
G
gitlab-foss
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
50f5960c
编写于
2月 07, 2017
作者:
D
Douwe Maan
浏览文件
操作
浏览文件
下载
差异文件
Merge branch 'ee-1439-read-only-user' into 'master'
Backport changes from gitlab-org/gitlab-ee!998 See merge request !8984
上级
437b46b9
f5a798c7
变更
15
隐藏空白更改
内联
并排
Showing
15 changed file
with
265 addition
and
80 deletion
+265
-80
.flayignore
.flayignore
+1
-0
app/controllers/admin/users_controller.rb
app/controllers/admin/users_controller.rb
+1
-1
app/finders/group_projects_finder.rb
app/finders/group_projects_finder.rb
+1
-1
app/models/user.rb
app/models/user.rb
+15
-0
app/policies/project_policy.rb
app/policies/project_policy.rb
+28
-19
app/policies/project_snippet_policy.rb
app/policies/project_snippet_policy.rb
+1
-1
app/views/admin/users/_access_levels.html.haml
app/views/admin/users/_access_levels.html.haml
+37
-0
app/views/admin/users/_form.html.haml
app/views/admin/users/_form.html.haml
+1
-22
app/views/projects/notes/_notes_with_form.html.haml
app/views/projects/notes/_notes_with_form.html.haml
+1
-1
lib/gitlab/visibility_level.rb
lib/gitlab/visibility_level.rb
+13
-1
spec/features/admin/admin_users_spec.rb
spec/features/admin/admin_users_spec.rb
+1
-1
spec/models/user_spec.rb
spec/models/user_spec.rb
+33
-0
spec/policies/project_policy_spec.rb
spec/policies/project_policy_spec.rb
+30
-32
spec/policies/project_snippet_policy_spec.rb
spec/policies/project_snippet_policy_spec.rb
+101
-0
spec/services/groups/update_service_spec.rb
spec/services/groups/update_service_spec.rb
+1
-1
未找到文件。
.flayignore
浏览文件 @
50f5960c
*.erb
lib/gitlab/sanitizers/svg/whitelist.rb
lib/gitlab/diff/position_tracer.rb
app/policies/project_policy.rb
app/controllers/admin/users_controller.rb
浏览文件 @
50f5960c
...
...
@@ -175,7 +175,7 @@ class Admin::UsersController < Admin::ApplicationController
def
user_params_ce
[
:a
dmin
,
:a
ccess_level
,
:avatar
,
:bio
,
:can_create_group
,
...
...
app/finders/group_projects_finder.rb
浏览文件 @
50f5960c
...
...
@@ -18,7 +18,7 @@ class GroupProjectsFinder < UnionFinder
projects
=
[]
if
current_user
if
@group
.
users
.
include?
(
current_user
)
||
current_user
.
admin?
if
@group
.
users
.
include?
(
current_user
)
projects
<<
@group
.
projects
unless
only_shared
projects
<<
@group
.
shared_projects
unless
only_owned
else
...
...
app/models/user.rb
浏览文件 @
50f5960c
...
...
@@ -904,6 +904,21 @@ class User < ActiveRecord::Base
end
end
def
access_level
if
admin?
:admin
else
:regular
end
end
def
access_level
=
(
new_level
)
new_level
=
new_level
.
to_s
return
unless
%w(admin regular)
.
include?
(
new_level
)
self
.
admin
=
(
new_level
==
'admin'
)
end
private
def
ci_projects_union
...
...
app/policies/project_policy.rb
浏览文件 @
50f5960c
...
...
@@ -218,25 +218,7 @@ class ProjectPolicy < BasePolicy
def
anonymous_rules
return
unless
project
.
public?
can!
:read_project
can!
:read_board
can!
:read_list
can!
:read_wiki
can!
:read_label
can!
:read_milestone
can!
:read_project_snippet
can!
:read_project_member
can!
:read_merge_request
can!
:read_note
can!
:read_pipeline
can!
:read_commit_status
can!
:read_container_image
can!
:download_code
can!
:download_wiki_code
can!
:read_cycle_analytics
# NOTE: may be overridden by IssuePolicy
can!
:read_issue
base_readonly_access!
# Allow to read builds by anonymous user if guests are allowed
can!
:read_build
if
project
.
public_builds?
...
...
@@ -269,4 +251,31 @@ class ProjectPolicy < BasePolicy
:"admin_
#{
name
}
"
]
end
private
# A base set of abilities for read-only users, which
# is then augmented as necessary for anonymous and other
# read-only users.
def
base_readonly_access!
can!
:read_project
can!
:read_board
can!
:read_list
can!
:read_wiki
can!
:read_label
can!
:read_milestone
can!
:read_project_snippet
can!
:read_project_member
can!
:read_merge_request
can!
:read_note
can!
:read_pipeline
can!
:read_commit_status
can!
:read_container_image
can!
:download_code
can!
:download_wiki_code
can!
:read_cycle_analytics
# NOTE: may be overridden by IssuePolicy
can!
:read_issue
end
end
app/policies/project_snippet_policy.rb
浏览文件 @
50f5960c
...
...
@@ -3,7 +3,7 @@ class ProjectSnippetPolicy < BasePolicy
can!
:read_project_snippet
if
@subject
.
public?
return
unless
@user
if
@user
&&
@subject
.
author
==
@user
||
@user
.
admin?
if
@user
&&
(
@subject
.
author
==
@user
||
@user
.
admin?
)
can!
:read_project_snippet
can!
:update_project_snippet
can!
:admin_project_snippet
...
...
app/views/admin/users/_access_levels.html.haml
0 → 100644
浏览文件 @
50f5960c
%fieldset
%legend
Access
.form-group
=
f
.
label
:projects_limit
,
class:
'control-label'
.col-sm-10
=
f
.
number_field
:projects_limit
,
min:
0
,
class:
'form-control'
.form-group
=
f
.
label
:can_create_group
,
class:
'control-label'
.col-sm-10
=
f
.
check_box
:can_create_group
.form-group
=
f
.
label
:access_level
,
class:
'control-label'
.col-sm-10
-
editing_current_user
=
(
current_user
==
@user
)
=
f
.
radio_button
:access_level
,
:regular
,
disabled:
editing_current_user
=
label_tag
:regular
do
Regular
%p
.light
Regular users have access to their groups and projects
=
f
.
radio_button
:access_level
,
:admin
,
disabled:
editing_current_user
=
label_tag
:admin
do
Admin
%p
.light
Administrators have access to all groups, projects and users and can manage all features in this installation
-
if
editing_current_user
%p
.light
You cannot remove your own admin rights.
.form-group
=
f
.
label
:external
,
class:
'control-label'
.col-sm-10
=
f
.
check_box
:external
do
External
%p
.light
External users cannot see internal or private projects unless access is explicitly granted. Also, external users cannot create projects or groups.
app/views/admin/users/_form.html.haml
浏览文件 @
50f5960c
...
...
@@ -40,28 +40,7 @@
=
f
.
label
:password_confirmation
,
class:
'control-label'
.col-sm-10
=
f
.
password_field
:password_confirmation
,
disabled:
f
.
object
.
force_random_password
,
class:
'form-control'
%fieldset
%legend
Access
.form-group
=
f
.
label
:projects_limit
,
class:
'control-label'
.col-sm-10
=
f
.
number_field
:projects_limit
,
min:
0
,
class:
'form-control'
.form-group
=
f
.
label
:can_create_group
,
class:
'control-label'
.col-sm-10
=
f
.
check_box
:can_create_group
.form-group
=
f
.
label
:admin
,
class:
'control-label'
-
if
current_user
==
@user
.col-sm-10
=
f
.
check_box
:admin
,
disabled:
true
.col-sm-10
You cannot remove your own admin rights.
-
else
.col-sm-10
=
f
.
check_box
:admin
.form-group
=
f
.
label
:external
,
class:
'control-label'
.col-sm-10
=
f
.
check_box
:external
.col-sm-10
External users cannot see internal or private projects unless access is explicitly granted. Also, external users cannot create projects or groups.
=
render
partial:
'access_levels'
,
locals:
{
f:
f
}
%fieldset
%legend
Profile
...
...
app/views/projects/notes/_notes_with_form.html.haml
浏览文件 @
50f5960c
...
...
@@ -13,7 +13,7 @@
=
image_tag
avatar_icon
(
current_user
),
alt:
current_user
.
to_reference
,
class:
'avatar s40'
.timeline-content.timeline-content-form
=
render
"projects/notes/form"
,
view:
diff_view
-
els
e
-
els
if
!
current_user
.disabled-comment.text-center
.disabled-comment-text.inline
Please
...
...
lib/gitlab/visibility_level.rb
浏览文件 @
50f5960c
...
...
@@ -13,7 +13,19 @@ module Gitlab
scope
:public_and_internal_only
,
->
{
where
(
visibility_level:
[
PUBLIC
,
INTERNAL
]
)
}
scope
:non_public_only
,
->
{
where
.
not
(
visibility_level:
PUBLIC
)
}
scope
:public_to_user
,
->
(
user
)
{
user
&&
!
user
.
external
?
public_and_internal_only
:
public_only
}
scope
:public_to_user
,
->
(
user
)
do
if
user
if
user
.
admin?
all
elsif
!
user
.
external?
public_and_internal_only
else
public_only
end
else
public_only
end
end
end
PRIVATE
=
0
unless
const_defined?
(
:PRIVATE
)
...
...
spec/features/admin/admin_users_spec.rb
浏览文件 @
50f5960c
...
...
@@ -211,7 +211,7 @@ describe "Admin::Users", feature: true do
fill_in
"user_email"
,
with:
"bigbang@mail.com"
fill_in
"user_password"
,
with:
"AValidPassword1"
fill_in
"user_password_confirmation"
,
with:
"AValidPassword1"
ch
eck
"user
_admin"
ch
oose
"user_access_level
_admin"
click_button
"Save changes"
end
...
...
spec/models/user_spec.rb
浏览文件 @
50f5960c
...
...
@@ -1422,4 +1422,37 @@ describe User, models: true do
expect
(
user
.
project_authorizations
.
where
(
access_level:
Gitlab
::
Access
::
REPORTER
).
exists?
).
to
eq
(
true
)
end
end
describe
'#access_level='
do
let
(
:user
)
{
build
(
:user
)
}
it
'does nothing for an invalid access level'
do
user
.
access_level
=
:invalid_access_level
expect
(
user
.
access_level
).
to
eq
(
:regular
)
expect
(
user
.
admin
).
to
be
false
end
it
"assigns the 'admin' access level"
do
user
.
access_level
=
:admin
expect
(
user
.
access_level
).
to
eq
(
:admin
)
expect
(
user
.
admin
).
to
be
true
end
it
"doesn't clear existing access levels when an invalid access level is passed in"
do
user
.
access_level
=
:admin
user
.
access_level
=
:invalid_access_level
expect
(
user
.
access_level
).
to
eq
(
:admin
)
expect
(
user
.
admin
).
to
be
true
end
it
"accepts string values in addition to symbols"
do
user
.
access_level
=
'admin'
expect
(
user
.
access_level
).
to
eq
(
:admin
)
expect
(
user
.
admin
).
to
be
true
end
end
end
spec/policies/project_policy_spec.rb
浏览文件 @
50f5960c
...
...
@@ -10,61 +10,59 @@ describe ProjectPolicy, models: true do
let
(
:project
)
{
create
(
:empty_project
,
:public
,
namespace:
owner
.
namespace
)
}
let
(
:guest_permissions
)
do
[
:read_project
,
:read_board
,
:read_list
,
:read_wiki
,
:read_issue
,
:read_label
,
:read_milestone
,
:read_project_snippet
,
:read_project_member
,
:read_note
,
:create_project
,
:create_issue
,
:create_note
,
:
upload_file
%i
[
read_project read_board read_list read_wiki read_issue read_label
read_milestone read_project_snippet read_project_member
read_note create_project create_issue create_note
upload_file
]
end
let
(
:reporter_permissions
)
do
[
:download_code
,
:fork_project
,
:create_project_snippet
,
:update_issue
,
:admin_issue
,
:admin_label
,
:admin_list
,
:read_commit_status
,
:read_build
,
:read_container_image
,
:read_pipeline
,
:read_environment
,
:read_deployment
,
:read_merge_request
,
:
download_wiki_code
%i
[
download_code fork_project create_project_snippet update_issue
admin_issue admin_label admin_list read_commit_status read_build
read_container_image read_pipeline read_environment read_deployment
read_merge_request
download_wiki_code
]
end
let
(
:team_member_reporter_permissions
)
do
[
:build_download_code
,
:build_read_container_image
]
%i[build_download_code build_read_container_image]
end
let
(
:developer_permissions
)
do
[
:admin_merge_request
,
:update_merge_request
,
:create_commit_status
,
:update_commit_status
,
:create_build
,
:update_build
,
:create_pipeline
,
:update_pipeline
,
:create_merge_request
,
:create_wiki
,
:push_code
,
:resolve_note
,
:create_container_image
,
:update_container_image
,
:create_environment
,
:
create_deployment
%i
[
admin_merge_request update_merge_request create_commit_status
update_commit_status create_build update_build create_pipeline
update_pipeline create_merge_request create_wiki push_code
resolve_note create_container_image update_container_image
create_environment
create_deployment
]
end
let
(
:master_permissions
)
do
[
:push_code_to_protected_branches
,
:update_project_snippet
,
:update_environment
,
:update_deployment
,
:admin_milestone
,
:admin_project_snippet
,
:admin_project_member
,
:admin_note
,
:admin_wiki
,
:admin_project
,
:admin_commit_status
,
:admin_build
,
:admin_container_image
,
:admin_pipeline
,
:admin_environment
,
:
admin_deployment
%i
[
push_code_to_protected_branches update_project_snippet update_environment
update_deployment admin_milestone admin_project_snippet
admin_project_member admin_note admin_wiki admin_project
admin_commit_status admin_build admin_container_image
admin_pipeline admin_environment
admin_deployment
]
end
let
(
:public_permissions
)
do
[
:download_code
,
:fork_project
,
:read_commit_status
,
:read_pipeline
,
:read_container_image
,
:build_download_code
,
:build_read_container_image
,
:
download_wiki_code
%i
[
download_code fork_project read_commit_status read_pipeline
read_container_image build_download_code build_read_container_image
download_wiki_code
]
end
let
(
:owner_permissions
)
do
[
:change_namespace
,
:change_visibility_level
,
:rename_project
,
:remove_project
,
:archive_project
,
:remove_fork_project
,
:destroy_merge_request
,
:
destroy_issue
%i
[
change_namespace change_visibility_level rename_project remove_project
archive_project remove_fork_project destroy_merge_request
destroy_issue
]
end
...
...
spec/policies/project_snippet_policy_spec.rb
0 → 100644
浏览文件 @
50f5960c
require
'spec_helper'
describe
ProjectSnippetPolicy
,
models:
true
do
let
(
:current_user
)
{
create
(
:user
)
}
let
(
:author_permissions
)
do
[
:update_project_snippet
,
:admin_project_snippet
]
end
subject
{
described_class
.
abilities
(
current_user
,
project_snippet
).
to_set
}
context
'public snippet'
do
let
(
:project_snippet
)
{
create
(
:project_snippet
,
:public
)
}
context
'no user'
do
let
(
:current_user
)
{
nil
}
it
do
is_expected
.
to
include
(
:read_project_snippet
)
is_expected
.
not_to
include
(
*
author_permissions
)
end
end
context
'regular user'
do
it
do
is_expected
.
to
include
(
:read_project_snippet
)
is_expected
.
not_to
include
(
*
author_permissions
)
end
end
end
context
'internal snippet'
do
let
(
:project_snippet
)
{
create
(
:project_snippet
,
:internal
)
}
context
'no user'
do
let
(
:current_user
)
{
nil
}
it
do
is_expected
.
not_to
include
(
:read_project_snippet
)
is_expected
.
not_to
include
(
*
author_permissions
)
end
end
context
'regular user'
do
it
do
is_expected
.
to
include
(
:read_project_snippet
)
is_expected
.
not_to
include
(
*
author_permissions
)
end
end
end
context
'private snippet'
do
let
(
:project_snippet
)
{
create
(
:project_snippet
,
:private
)
}
context
'no user'
do
let
(
:current_user
)
{
nil
}
it
do
is_expected
.
not_to
include
(
:read_project_snippet
)
is_expected
.
not_to
include
(
*
author_permissions
)
end
end
context
'regular user'
do
it
do
is_expected
.
not_to
include
(
:read_project_snippet
)
is_expected
.
not_to
include
(
*
author_permissions
)
end
end
context
'snippet author'
do
let
(
:project_snippet
)
{
create
(
:project_snippet
,
:private
,
author:
current_user
)
}
it
do
is_expected
.
to
include
(
:read_project_snippet
)
is_expected
.
to
include
(
*
author_permissions
)
end
end
context
'project team member'
do
before
{
project_snippet
.
project
.
team
<<
[
current_user
,
:developer
]
}
it
do
is_expected
.
to
include
(
:read_project_snippet
)
is_expected
.
not_to
include
(
*
author_permissions
)
end
end
context
'admin user'
do
let
(
:current_user
)
{
create
(
:admin
)
}
it
do
is_expected
.
to
include
(
:read_project_snippet
)
is_expected
.
to
include
(
*
author_permissions
)
end
end
end
end
spec/services/groups/update_service_spec.rb
浏览文件 @
50f5960c
...
...
@@ -51,7 +51,7 @@ describe Groups::UpdateService, services: true do
end
context
'rename group'
do
let!
(
:service
)
{
described_class
.
new
(
internal_group
,
user
,
path:
'new_path'
)
}
let!
(
:service
)
{
described_class
.
new
(
internal_group
,
user
,
path:
SecureRandom
.
hex
)
}
before
do
internal_group
.
add_user
(
user
,
Gitlab
::
Access
::
MASTER
)
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录