Skip to content
Snippets Groups Projects
Normal view Permalink
ability.rb 7.61 KiB
Newer Older
  • Learn to ignore specific revisions
    • gitlabhq's avatar
    init commit
    gitlabhq committed
    1 
    class Ability
    Andrey Kumanyaev's avatar
    simple refactoring  
    Andrey Kumanyaev committed
    2 
      class << self
    Dmitriy Zaporozhets's avatar
    allow/deny user to create group/team  
    Dmitriy Zaporozhets committed
    3 
        def allowed(user, subject)
    Dmitriy Zaporozhets's avatar
    Allow non authenticated user access to public projects  
    Dmitriy Zaporozhets committed
    4 
          return not_auth_abilities(user, subject) if user.nil?
    Dmitriy Zaporozhets's avatar
    allow/deny user to create group/team  
    Dmitriy Zaporozhets committed
    5 
          return [] unless user.kind_of?(User)
    Dmitriy Zaporozhets's avatar
    Return empty abilities if user is blocked  
    Dmitriy Zaporozhets committed
    6 
          return [] if user.blocked?
    Dmitriy Zaporozhets's avatar
    allow/deny user to create group/team  
    Dmitriy Zaporozhets committed
    7
    Andrey Kumanyaev's avatar
    simple refactoring  
    Andrey Kumanyaev committed
    8 
          case subject.class.name
    Dmitriy Zaporozhets's avatar
    allow/deny user to create group/team  
    Dmitriy Zaporozhets committed
    9 10 11 
          when "Project" then project_abilities(user, subject)
      when "Issue" then issue_abilities(user, subject)
      when "Note" then note_abilities(user, subject)
    Andrew8xx8's avatar
    Snippets feature refactored. Tests now use spinach  
    Andrew8xx8 committed
    12 
          when "ProjectSnippet" then project_snippet_abilities(user, subject)
    Andrew8xx8's avatar
    Personal snippets controlelr refactored  
    Andrew8xx8 committed
    13 
          when "PersonalSnippet" then personal_snippet_abilities(user, subject)
    Dmitriy Zaporozhets's avatar
    allow/deny user to create group/team  
    Dmitriy Zaporozhets committed
    14 
          when "MergeRequest" then merge_request_abilities(user, subject)
    Dmitriy Zaporozhets's avatar
    Use own abilities for namespace class  
    Dmitriy Zaporozhets committed
    15 16 
          when "Group" then group_abilities(user, subject)
      when "Namespace" then namespace_abilities(user, subject)
    Douwe Maan's avatar
    Use `group_member` instead of `users_group` or `membership`.  
    Douwe Maan committed
    17 
          when "GroupMember" then group_member_abilities(user, subject)
    Andrey Kumanyaev's avatar
    simple refactoring  
    Andrey Kumanyaev committed
    18 
          else []
    Dmitriy Zaporozhets's avatar
    allow/deny user to create group/team  
    Dmitriy Zaporozhets committed
    19 20 21 
          end.concat(global_abilities(user))
    end
    Dmitriy Zaporozhets's avatar
    Allow non authenticated user access to public projects  
    Dmitriy Zaporozhets committed
    22 23 24 25 26 27 28 29 30 31 32 
        # List of possible abilities
    # for non-authenticated user
    def not_auth_abilities(user, subject)
      project = if subject.kind_of?(Project)
                  subject
                elsif subject.respond_to?(:project)
                  subject.project
                else
                  nil
                end
    Jason Hollingsworth's avatar
    Adding authenticated public mode (internal).  
    Jason Hollingsworth committed
    33 
          if project && project.public?
    Dmitriy Zaporozhets's avatar
    Remove writing issues/notes from non-auth user abilities  
    Dmitriy Zaporozhets committed
    34 35 36 37 38 39 
            [
          :read_project,
          :read_wiki,
          :read_issue,
          :read_milestone,
          :read_project_snippet,
    Douwe Maan's avatar
    Use `project_member` instead of `team_member`.  
    Douwe Maan committed
    40 
              :read_project_member,
    Dmitriy Zaporozhets's avatar
    Remove writing issues/notes from non-auth user abilities  
    Dmitriy Zaporozhets committed
    41 42 43 44 
              :read_merge_request,
          :read_note,
          :download_code
        ]
    Dmitriy Zaporozhets's avatar
    Allow non authenticated user access to public projects  
    Dmitriy Zaporozhets committed
    45 
          else
    Jason Hollingsworth's avatar
    Allow access to groups with public projects.  
    Jason Hollingsworth committed
    46 47 48 49 50 51 52 
            group = if subject.kind_of?(Group)
                  subject
                elsif subject.respond_to?(:group)
                  subject.group
                else
                  nil
                end
    Dmitriy Zaporozhets's avatar
    Implement project collection service  
    Dmitriy Zaporozhets committed
    53
    Dmitriy Zaporozhets's avatar
    Refactor some search scopes to prevent wierd behaviour and PG::Error issues  
    Dmitriy Zaporozhets committed
    54 
            if group && group.public_profile?
    Jason Hollingsworth's avatar
    Allow access to groups with public projects.  
    Jason Hollingsworth committed
    55 56 57 58 
              [:read_group]
        else
          []
        end
    Dmitriy Zaporozhets's avatar
    Allow non authenticated user access to public projects  
    Dmitriy Zaporozhets committed
    59 60 61 
          end
    end
    Dmitriy Zaporozhets's avatar
    allow/deny user to create group/team  
    Dmitriy Zaporozhets committed
    62 63 64 65 
        def global_abilities(user)
      rules = []
      rules << :create_group if user.can_create_group
      rules
    gitlabhq's avatar
    init commit
    gitlabhq committed
    66 67 
        end
    Andrey Kumanyaev's avatar
    simple refactoring  
    Andrey Kumanyaev committed
    68 69 
        def project_abilities(user, project)
      rules = []
    skv-headless's avatar
    per request project rules caching  
    skv-headless committed
    70 71 72 
          key = "/user/#{user.id}/project/#{project.id}"
      RequestStore.store[key] ||= begin
        team = project.team
    gitlabhq's avatar
    init commit
    gitlabhq committed
    73
    skv-headless's avatar
    per request project rules caching  
    skv-headless committed
    74 75 
            # Rules based on role in project
        if team.master?(user)
    Ciro Santilli's avatar
    Append in place for strings and arrays  
    Ciro Santilli committed
    76 
              rules.push(*project_master_rules)
    Dmitriy Zaporozhets's avatar
    REpostiry, Team models  
    Dmitriy Zaporozhets committed
    77
    skv-headless's avatar
    per request project rules caching  
    skv-headless committed
    78 
            elsif team.developer?(user)
    Ciro Santilli's avatar
    Append in place for strings and arrays  
    Ciro Santilli committed
    79 
              rules.push(*project_dev_rules)
    Dmitriy Zaporozhets's avatar
    Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces  
    Dmitriy Zaporozhets committed
    80
    skv-headless's avatar
    per request project rules caching  
    skv-headless committed
    81 
            elsif team.reporter?(user)
    Ciro Santilli's avatar
    Append in place for strings and arrays  
    Ciro Santilli committed
    82 
              rules.push(*project_report_rules)
    Dmitriy Zaporozhets's avatar
    Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces  
    Dmitriy Zaporozhets committed
    83
    skv-headless's avatar
    per request project rules caching  
    skv-headless committed
    84 
            elsif team.guest?(user)
    Ciro Santilli's avatar
    Append in place for strings and arrays  
    Ciro Santilli committed
    85 
              rules.push(*project_guest_rules)
    skv-headless's avatar
    per request project rules caching  
    skv-headless committed
    86 
            end
    Dmitriy Zaporozhets's avatar
    Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces  
    Dmitriy Zaporozhets committed
    87
    skv-headless's avatar
    per request project rules caching  
    skv-headless committed
    88 
            if project.public? || project.internal?
    Ciro Santilli's avatar
    Append in place for strings and arrays  
    Ciro Santilli committed
    89 
              rules.push(*public_project_rules)
    skv-headless's avatar
    per request project rules caching  
    skv-headless committed
    90 
            end
    Dmitriy Zaporozhets's avatar
    Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces  
    Dmitriy Zaporozhets committed
    91
    skv-headless's avatar
    per request project rules caching  
    skv-headless committed
    92 
            if project.owner == user || user.admin?
    Ciro Santilli's avatar
    Append in place for strings and arrays  
    Ciro Santilli committed
    93 
              rules.push(*project_admin_rules)
    skv-headless's avatar
    per request project rules caching  
    skv-headless committed
    94 
            end
    Dmitriy Zaporozhets's avatar
    Allow forking of public projects by authenticated users. Fixes #4152  
    Dmitriy Zaporozhets committed
    95
    skv-headless's avatar
    per request project rules caching  
    skv-headless committed
    96 
            if project.group && project.group.has_owner?(user)
    Ciro Santilli's avatar
    Append in place for strings and arrays  
    Ciro Santilli committed
    97 
              rules.push(*project_admin_rules)
    skv-headless's avatar
    per request project rules caching  
    skv-headless committed
    98 
            end
    Dmitriy Zaporozhets's avatar
    Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces  
    Dmitriy Zaporozhets committed
    99
    skv-headless's avatar
    per request project rules caching  
    skv-headless committed
    100 101 102 
            if project.archived?
          rules -= project_archived_rules
        end
    Dmitriy Zaporozhets's avatar
    Add UsersGroup relation to be respected by abilities and Project#team  
    Dmitriy Zaporozhets committed
    103
    Stan Hu's avatar
    Disable "New Issue" and "New Merge Request" buttons when features are disabled in project settings  
    Stan Hu committed
    104 105 106 107 108 109 110 111 
            unless project.issues_enabled
          rules -= named_abilities('issue')
        end

        unless project.merge_requests_enabled
          rules -= named_abilities('merge_request')
        end
    Stan Hu's avatar
    Refactor permission checks to use `can?` instead of `issues_enabled` and `merge_requests_enabled`  
    Stan Hu committed
    112 113 114 115 116 
            unless project.issues_enabled or project.merge_requests_enabled
          rules -= named_abilities('label')
          rules -= named_abilities('milestone')
        end
    Stan Hu's avatar
    Disable "New Issue" and "New Merge Request" buttons when features are disabled in project settings  
    Stan Hu committed
    117 
            unless project.snippets_enabled
    Stan Hu's avatar
    Fix project snippets button appearing when it is disabled  
    Stan Hu committed
    118 
              rules -= named_abilities('project_snippet')
    Stan Hu's avatar
    Disable "New Issue" and "New Merge Request" buttons when features are disabled in project settings  
    Stan Hu committed
    119 120 121 122 123 124 
            end

        unless project.wiki_enabled
          rules -= named_abilities('wiki')
        end
    skv-headless's avatar
    per request project rules caching  
    skv-headless committed
    125 
            rules
    Steven Thonus's avatar
    Archiving old projects; archived projects aren't shown on dashboard  
    Steven Thonus committed
    126 
          end
    Dmitriy Zaporozhets's avatar
    Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces  
    Dmitriy Zaporozhets committed
    127 128 
        end
    Dmitriy Zaporozhets's avatar
    Allow forking of public projects by authenticated users. Fixes #4152  
    Dmitriy Zaporozhets committed
    129 
        def public_project_rules
    Dmitriy Zaporozhets's avatar
    Allow non authenticated user access to public projects  
    Dmitriy Zaporozhets committed
    130 
          project_guest_rules + [
    Dmitriy Zaporozhets's avatar
    Allow forking of public projects by authenticated users. Fixes #4152  
    Dmitriy Zaporozhets committed
    131 
            :download_code,
    Jason Hollingsworth's avatar
    Adding authenticated public mode (internal).  
    Jason Hollingsworth committed
    132 
            :fork_project
    Dmitriy Zaporozhets's avatar
    Allow forking of public projects by authenticated users. Fixes #4152  
    Dmitriy Zaporozhets committed
    133 134 135 
          ]
    end
    Dmitriy Zaporozhets's avatar
    Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces  
    Dmitriy Zaporozhets committed
    136 137 
        def project_guest_rules
      [
    Andrey Kumanyaev's avatar
    simple refactoring  
    Andrey Kumanyaev committed
    138 139 140 
            :read_project,
        :read_wiki,
        :read_issue,
    Stan Hu's avatar
    Fix 403 Access Denied error messages when accessing Labels section in a...  
    Stan Hu committed
    141 
            :read_label,
    Andrey Kumanyaev's avatar
    simple refactoring  
    Andrey Kumanyaev committed
    142 
            :read_milestone,
    Andrew8xx8's avatar
    Tests fixed  
    Andrew8xx8 committed
    143 
            :read_project_snippet,
    Douwe Maan's avatar
    Use `project_member` instead of `team_member`.  
    Douwe Maan committed
    144 
            :read_project_member,
    Andrey Kumanyaev's avatar
    simple refactoring  
    Andrey Kumanyaev committed
    145 146 147 148 
            :read_merge_request,
        :read_note,
        :write_project,
        :write_issue,
    Angus MacArthur's avatar
    Made fixes suggested by @randx in pull request  
    Angus MacArthur committed
    149 
            :write_note
    Dmitriy Zaporozhets's avatar
    Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces  
    Dmitriy Zaporozhets committed
    150 151 
          ]
    end
    Dmitriy Zaporozhets's avatar
    Wiki abilities  
    Dmitriy Zaporozhets committed
    152
    Dmitriy Zaporozhets's avatar
    Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces  
    Dmitriy Zaporozhets committed
    153 154 
        def project_report_rules
      project_guest_rules + [
    Andrey Kumanyaev's avatar
    simple refactoring  
    Andrey Kumanyaev committed
    155 
            :download_code,
    Dmitriy Zaporozhets's avatar
    Fixed ability and modify UI a bit  
    Dmitriy Zaporozhets committed
    156 
            :fork_project,
    Andrew8xx8's avatar
    Tests fixed  
    Andrew8xx8 committed
    157 
            :write_project_snippet
    Dmitriy Zaporozhets's avatar
    Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces  
    Dmitriy Zaporozhets committed
    158 159 
          ]
    end
    Dmitriy Zaporozhets's avatar
    Wiki abilities  
    Dmitriy Zaporozhets committed
    160
    Dmitriy Zaporozhets's avatar
    Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces  
    Dmitriy Zaporozhets committed
    161 162 
        def project_dev_rules
      project_report_rules + [
    Dmitriy Zaporozhets's avatar
    Reporter cant create MR. Show user authorized projects in Admin area  
    Dmitriy Zaporozhets committed
    163 
            :write_merge_request,
    randx's avatar
    Security for online editor. Replace dev_access?, master_access? with can? method usage  
    randx committed
    164 
            :write_wiki,
    Dmitriy Zaporozhets's avatar
    Allow developers to mange issue tracker  
    Dmitriy Zaporozhets committed
    165 
            :modify_issue,
    Dmitriy Zaporozhets's avatar
    Fix Issues#bulk_update  
    Dmitriy Zaporozhets committed
    166 
            :admin_issue,
    Dmitriy Zaporozhets's avatar
    Improve labels  
    Dmitriy Zaporozhets committed
    167 
            :admin_label,
    randx's avatar
    Security for online editor. Replace dev_access?, master_access? with can? method usage  
    randx committed
    168 
            :push_code
    Dmitriy Zaporozhets's avatar
    Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces  
    Dmitriy Zaporozhets committed
    169 170 
          ]
    end
    randx's avatar
    Security for online editor. Replace dev_access?, master_access? with can? method usage  
    randx committed
    171
    Steven Thonus's avatar
    Archiving old projects; archived projects aren't shown on dashboard  
    Steven Thonus committed
    172 173 174 175 176 177 178 179 180 181 
        def project_archived_rules
      [
        :write_merge_request,
        :push_code,
        :push_code_to_protected_branches,
        :modify_merge_request,
        :admin_merge_request
      ]
    end
    Dmitriy Zaporozhets's avatar
    Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces  
    Dmitriy Zaporozhets committed
    182 183 184 
        def project_master_rules
      project_dev_rules + [
        :push_code_to_protected_branches,
    Andrey Kumanyaev's avatar
    simple refactoring  
    Andrey Kumanyaev committed
    185 
            :modify_issue,
    Andrew8xx8's avatar
    Tests fixed  
    Andrew8xx8 committed
    186 
            :modify_project_snippet,
    Andrey Kumanyaev's avatar
    simple refactoring  
    Andrey Kumanyaev committed
    187 188 
            :modify_merge_request,
        :admin_milestone,
    Andrew8xx8's avatar
    Tests fixed  
    Andrew8xx8 committed
    189 
            :admin_project_snippet,
    Douwe Maan's avatar
    Use `project_member` instead of `team_member`.  
    Douwe Maan committed
    190 
            :admin_project_member,
    Andrey Kumanyaev's avatar
    simple refactoring  
    Andrey Kumanyaev committed
    191 192 
            :admin_merge_request,
        :admin_note,
    Dmitriy Zaporozhets's avatar
    Only owner of current namespace can change project namespace  
    Dmitriy Zaporozhets committed
    193 194 
            :admin_wiki,
        :admin_project
    Dmitriy Zaporozhets's avatar
    Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces  
    Dmitriy Zaporozhets committed
    195 196 
          ]
    end
    gitlabhq's avatar
    init commit
    gitlabhq committed
    197
    Dmitriy Zaporozhets's avatar
    Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces  
    Dmitriy Zaporozhets committed
    198 199 
        def project_admin_rules
      project_master_rules + [
    Dmitriy Zaporozhets's avatar
    Only owner of current namespace can change project namespace  
    Dmitriy Zaporozhets committed
    200 
            :change_namespace,
    Jason Hollingsworth's avatar
    Adding authenticated public mode (internal).  
    Jason Hollingsworth committed
    201 
            :change_visibility_level,
    Dmitriy Zaporozhets's avatar
    Admin can move project to ANY namespace. Updated permissions page  
    Dmitriy Zaporozhets committed
    202 
            :rename_project,
    Steven Thonus's avatar
    Archiving old projects; archived projects aren't shown on dashboard  
    Steven Thonus committed
    203 204 
            :remove_project,
        :archive_project
    Dmitriy Zaporozhets's avatar
    Refactor abilities. Added ProjectUpdate context. Fixed few bugs with namespaces  
    Dmitriy Zaporozhets committed
    205 
          ]
    Andrey Kumanyaev's avatar
    simple refactoring  
    Andrey Kumanyaev committed
    206 
        end
    gitlabhq's avatar
    security improved  
    gitlabhq committed
    207
    Ciro Santilli's avatar
    Add parenthesis to function def with arguments.  
    Ciro Santilli committed
    208 
        def group_abilities(user, group)
    Dmitriy Zaporozhets's avatar
    add ability to change namespace from project edit page  
    Dmitriy Zaporozhets committed
    209 210 
          rules = []
    Dmitriy Zaporozhets's avatar
    Move services for collecting items to Finders  
    Dmitriy Zaporozhets committed
    211 
          if user.admin? || group.users.include?(user) || ProjectsFinder.new.execute(user, group: group).any?
    Dmitriy Zaporozhets's avatar
    Fix 404 if Group guest visit empty group page  
    Dmitriy Zaporozhets committed
    212 213 214 
            rules << :read_group
      end
    Dmitriy Zaporozhets's avatar
    Add ability rule for creating project in namespace  
    Dmitriy Zaporozhets committed
    215 216 
          # Only group masters and group owners can create new projects in group
      if group.has_master?(user) || group.has_owner?(user) || user.admin?
    Ciro Santilli's avatar
    Append in place for strings and arrays  
    Ciro Santilli committed
    217 
            rules.push(*[
    Dmitriy Zaporozhets's avatar
    Add ability rule for creating project in namespace  
    Dmitriy Zaporozhets committed
    218 
              :create_projects,
    Ciro Santilli's avatar
    Append in place for strings and arrays  
    Ciro Santilli committed
    219 
            ])
    Dmitriy Zaporozhets's avatar
    Add ability rule for creating project in namespace  
    Dmitriy Zaporozhets committed
    220 221 
          end
    Douwe Maan's avatar
    Rename manage_group ability to admin_group for consistency with project.  
    Douwe Maan committed
    222 
          # Only group owner and administrators can admin group
    Dmitriy Zaporozhets's avatar
    Group ownership completely based on users_groups relation now  
    Dmitriy Zaporozhets committed
    223 
          if group.has_owner?(user) || user.admin?
    Ciro Santilli's avatar
    Append in place for strings and arrays  
    Ciro Santilli committed
    224 
            rules.push(*[
    Douwe Maan's avatar
    Rename manage_group ability to admin_group for consistency with project.  
    Douwe Maan committed
    225 226 
              :admin_group,
          :admin_namespace
    Ciro Santilli's avatar
    Append in place for strings and arrays  
    Ciro Santilli committed
    227 
            ])
    Dmitriy Zaporozhets's avatar
    Fix #2375. Admin and owner can manage groups  
    Dmitriy Zaporozhets committed
    228 
          end
    Dmitriy Zaporozhets's avatar
    add ability to change namespace from project edit page  
    Dmitriy Zaporozhets committed
    229 230 231 232 
    
      rules.flatten
    end
    Ciro Santilli's avatar
    Add parenthesis to function def with arguments.  
    Ciro Santilli committed
    233 
        def namespace_abilities(user, namespace)
    Dmitriy Zaporozhets's avatar
    Use own abilities for namespace class  
    Dmitriy Zaporozhets committed
    234 235 
          rules = []
    Douwe Maan's avatar
    Rename manage_group ability to admin_group for consistency with project.  
    Douwe Maan committed
    236 
          # Only namespace owner and administrators can admin it
    Dmitriy Zaporozhets's avatar
    Use own abilities for namespace class  
    Dmitriy Zaporozhets committed
    237 
          if namespace.owner == user || user.admin?
    Ciro Santilli's avatar
    Append in place for strings and arrays  
    Ciro Santilli committed
    238 
            rules.push(*[
    Dmitriy Zaporozhets's avatar
    Add ability rule for creating project in namespace  
    Dmitriy Zaporozhets committed
    239 
              :create_projects,
    Douwe Maan's avatar
    Rename manage_group ability to admin_group for consistency with project.  
    Douwe Maan committed
    240 
              :admin_namespace
    Ciro Santilli's avatar
    Append in place for strings and arrays  
    Ciro Santilli committed
    241 
            ])
    Dmitriy Zaporozhets's avatar
    Use own abilities for namespace class  
    Dmitriy Zaporozhets committed
    242 243 244 245 246 
          end

      rules.flatten
    end
    Andrew8xx8's avatar
    Personal snippets controlelr refactored  
    Andrew8xx8 committed
    247 
        [:issue, :note, :project_snippet, :personal_snippet, :merge_request].each do |name|
    gitlabhq's avatar
    security improved  
    gitlabhq committed
    248 
          define_method "#{name}_abilities" do |user, subject|
    Vinnie Okada's avatar
    Update snippet authorization  
    Vinnie Okada committed
    249 250 
            if subject.author == user || user.is_admin?
          rules = [
    gitlabhq's avatar
    security improved  
    gitlabhq committed
    251 252 
                :"read_#{name}",
            :"write_#{name}",
    Dmitriy Zaporozhets's avatar
    Abilities refactoring  
    Dmitriy Zaporozhets committed
    253 
                :"modify_#{name}",
    gitlabhq's avatar
    security improved  
    gitlabhq committed
    254 255 
                :"admin_#{name}"
          ]
    Vinnie Okada's avatar
    Update snippet authorization  
    Vinnie Okada committed
    256 257 
              rules.push(:change_visibility_level) if subject.is_a?(Snippet)
          rules
    Dmitriy Zaporozhets's avatar
    Abilities extended. Resources security improved  
    Dmitriy Zaporozhets committed
    258 259 260 261 262 263 
            elsif subject.respond_to?(:assignee) && subject.assignee == user
          [
            :"read_#{name}",
            :"write_#{name}",
            :"modify_#{name}",
          ]
    gitlabhq's avatar
    security improved  
    gitlabhq committed
    264 
            else
    Stan Hu's avatar
    Fix Error 500 when one user attempts to access a personal, internal snippet  
    Stan Hu committed
    265 
              if subject.respond_to?(:project) && subject.project
    Dmitriy Zaporozhets's avatar
    Improve files/snippets action buttons  
    Dmitriy Zaporozhets committed
    266 267 268 269 
                project_abilities(user, subject.project)
          else
            []
          end
    gitlabhq's avatar
    security improved  
    gitlabhq committed
    270 271 272 
            end
      end
    end
    Ciro Santillli's avatar
    User can leave group from group page.  
    Ciro Santillli committed
    273
    Douwe Maan's avatar
    Use `group_member` instead of `users_group` or `membership`.  
    Douwe Maan committed
    274 
        def group_member_abilities(user, subject)
    Ciro Santillli's avatar
    User can leave group from group page.  
    Ciro Santillli committed
    275 276 277 
          rules = []
      target_user = subject.user
      group = subject.group
    Douwe Maan's avatar
    Rename manage_group ability to admin_group for consistency with project.  
    Douwe Maan committed
    278 
          can_manage = group_abilities(user, group).include?(:admin_group)
    Ciro Santillli's avatar
    User can leave group from group page.  
    Ciro Santillli committed
    279 
          if can_manage && (user != target_user)
    Douwe Maan's avatar
    Use `group_member` instead of `users_group` or `membership`.  
    Douwe Maan committed
    280 281 
            rules << :modify_group_member
        rules << :destroy_group_member
    Ciro Santillli's avatar
    User can leave group from group page.  
    Ciro Santillli committed
    282 283 
          end
      if !group.last_owner?(user) && (can_manage || (user == target_user))
    Douwe Maan's avatar
    Use `group_member` instead of `users_group` or `membership`.  
    Douwe Maan committed
    284 
            rules << :destroy_group_member
    Ciro Santillli's avatar
    User can leave group from group page.  
    Ciro Santillli committed
    285 286 287 
          end
      rules
    end
    Ciro Santilli's avatar
    Factor abilities methods  
    Ciro Santilli committed
    288 289 290 291 292 293 294 295 
    
    def abilities
      @abilities ||= begin
                       abilities = Six.new
                       abilities << self
                       abilities
                     end
    end
    Stan Hu's avatar
    Disable "New Issue" and "New Merge Request" buttons when features are disabled in project settings  
    Stan Hu committed
    296 297 298 299 300 301 302 303 304 305 306 
    
    private

    def named_abilities(name)
      [
        :"read_#{name}",
        :"write_#{name}",
        :"modify_#{name}",
        :"admin_#{name}"
      ]
    end
    gitlabhq's avatar
    security improved  
    gitlabhq committed
    307 
      end
    gitlabhq's avatar
    init commit
    gitlabhq committed
    308 
    end