convert all the policies to DeclarativePolicy

1 files changed, 315 insertions, 259 deletions

diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 47518dddb61..7cbca63fab4 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -1,297 +1,353 @@
 class ProjectPolicy < BasePolicy
-  def rules
-    team_access!(user)
+  def self.create_read_update_admin(name)
+    [
+      :"create_#{name}",
+      :"read_#{name}",
+      :"update_#{name}",
+      :"admin_#{name}"
+    ]
+  end
 
-    owner_access! if user.admin? || owner?
-    team_member_owner_access! if owner?
+  desc "User is a project owner"
+  condition :owner do
+    @user && project.owner == @user || (project.group && project.group.has_owner?(@user))
+  end
 
-    if project.public? || (project.internal? && !user.external?)
-      guest_access!
-      public_access!
-      can! :request_access if access_requestable?
-    end
+  desc "Project has public builds enabled"
+  condition(:public_builds, scope: :subject) { project.public_builds? }
+
+  # For guest access we use #is_team_member? so we can use
+  # project.members, which gets cached in subject scope.
+  # This is safe because team_access_level is guaranteed
+  # by ProjectAuthorization's validation to be at minimum
+  # GUEST
+  desc "User has guest access"
+  condition(:guest) { is_team_member? }
 
-    archived_access! if project.archived?
+  desc "User has reporter access"
+  condition(:reporter) { team_access_level >= Gitlab::Access::REPORTER }
 
-    disabled_features!
+  desc "User has developer access"
+  condition(:developer) { team_access_level >= Gitlab::Access::DEVELOPER }
+
+  desc "User has master access"
+  condition(:master) { team_access_level >= Gitlab::Access::MASTER }
+
+  desc "Project is public"
+  condition(:public_project, scope: :subject) { project.public? }
+
+  desc "Project is visible to internal users"
+  condition(:internal_access) do
+    project.internal? && !user.external?
   end
 
-  def project
-    @subject
+  desc "User is a member of the group"
+  condition(:group_member, scope: :subject) { project_group_member? }
+
+  desc "Project is archived"
+  condition(:archived, scope: :subject) { project.archived? }
+
+  condition(:default_issues_tracker, scope: :subject) { project.default_issues_tracker? }
+
+  desc "Container registry is disabled"
+  condition(:container_registry_disabled, scope: :subject) do
+    !project.container_registry_enabled
   end
 
-  def owner?
-    return @owner if defined?(@owner)
-
-    @owner = project.owner == user ||
-      (project.group && project.group.has_owner?(user))
-  end
-
-  def guest_access!
-    can! :read_project
-    can! :read_board
-    can! :read_list
-    can! :read_wiki
-    can! :read_issue
-    can! :read_label
-    can! :read_milestone
-    can! :read_project_snippet
-    can! :read_project_member
-    can! :read_note
-    can! :create_project
-    can! :create_issue
-    can! :create_note
-    can! :upload_file
-    can! :read_cycle_analytics
-
-    if project.public_builds?
-      can! :read_pipeline
-      can! :read_pipeline_schedule
-      can! :read_build
-    end
+  desc "Project has an external wiki"
+  condition(:has_external_wiki, scope: :subject) { project.has_external_wiki? }
+
+  desc "Project has request access enabled"
+  condition(:request_access_enabled, scope: :subject) { project.request_access_enabled }
+
+  features = %w[
+    merge_requests
+    issues
+    repository
+    snippets
+    wiki
+    builds
+  ]
+
+  features.each do |f|
+    # these are scored high because they are unlikely
+    desc "Project has #{f} disabled"
+    condition(:"#{f}_disabled", score: 32) { !feature_available?(f.to_sym) }
   end
 
-  def reporter_access!
-    can! :download_code
-    can! :download_wiki_code
-    can! :fork_project
-    can! :create_project_snippet
-    can! :update_issue
-    can! :admin_issue
-    can! :admin_label
-    can! :admin_list
-    can! :read_commit_status
-    can! :read_build
-    can! :read_container_image
-    can! :read_pipeline
-    can! :read_pipeline_schedule
-    can! :read_environment
-    can! :read_deployment
-    can! :read_merge_request
-  end
-
-  # Permissions given when an user is team member of a project
-  def team_member_reporter_access!
-    can! :build_download_code
-    can! :build_read_container_image
-  end
-
-  def developer_access!
-    can! :admin_merge_request
-    can! :update_merge_request
-    can! :create_commit_status
-    can! :update_commit_status
-    can! :create_build
-    can! :update_build
-    can! :create_pipeline
-    can! :update_pipeline
-    can! :create_pipeline_schedule
-    can! :update_pipeline_schedule
-    can! :create_merge_request
-    can! :create_wiki
-    can! :push_code
-    can! :resolve_note
-    can! :create_container_image
-    can! :update_container_image
-    can! :create_environment
-    can! :create_deployment
-  end
-
-  def master_access!
-    can! :delete_protected_branch
-    can! :update_project_snippet
-    can! :update_environment
-    can! :update_deployment
-    can! :admin_milestone
-    can! :admin_project_snippet
-    can! :admin_project_member
-    can! :admin_note
-    can! :admin_wiki
-    can! :admin_project
-    can! :admin_commit_status
-    can! :admin_build
-    can! :admin_container_image
-    can! :admin_pipeline
-    can! :admin_pipeline_schedule
-    can! :admin_environment
-    can! :admin_deployment
-    can! :admin_pages
-    can! :read_pages
-    can! :update_pages
-  end
-
-  def public_access!
-    can! :download_code
-    can! :fork_project
-    can! :read_commit_status
-    can! :read_pipeline
-    can! :read_pipeline_schedule
-    can! :read_container_image
-    can! :build_download_code
-    can! :build_read_container_image
-    can! :read_merge_request
-  end
-
-  def owner_access!
-    guest_access!
-    reporter_access!
-    developer_access!
-    master_access!
-    can! :change_namespace
-    can! :change_visibility_level
-    can! :rename_project
-    can! :remove_project
-    can! :archive_project
-    can! :remove_fork_project
-    can! :destroy_merge_request
-    can! :destroy_issue
-    can! :remove_pages
-  end
-
-  def team_member_owner_access!
-    team_member_reporter_access!
-  end
-
-  # Push abilities on the users team role
-  def team_access!(user)
-    access = project.team.max_member_access(user.id)
-
-    return if access < Gitlab::Access::GUEST
-    guest_access!
-
-    return if access < Gitlab::Access::REPORTER
-    reporter_access!
-    team_member_reporter_access!
-
-    return if access < Gitlab::Access::DEVELOPER
-    developer_access!
-
-    return if access < Gitlab::Access::MASTER
-    master_access!
-  end
-
-  def archived_access!
-    cannot! :create_merge_request
-    cannot! :push_code
-    cannot! :delete_protected_branch
-    cannot! :update_merge_request
-    cannot! :admin_merge_request
-  end
-
-  def disabled_features!
-    repository_enabled = project.feature_available?(:repository, user)
-
-    block_issues_abilities
-
-    unless project.feature_available?(:merge_requests, user) && repository_enabled
-      cannot!(*named_abilities(:merge_request))
-    end
+  rule { guest }.enable :guest_access
+  rule { reporter }.enable :reporter_access
+  rule { developer }.enable :developer_access
+  rule { master }.enable :master_access
+
+  rule { owner | admin }.policy do
+    enable :guest_access
+    enable :reporter_access
+    enable :developer_access
+    enable :master_access
+
+    enable :change_namespace
+    enable :change_visibility_level
+    enable :rename_project
+    enable :remove_project
+    enable :archive_project
+    enable :remove_fork_project
+    enable :destroy_merge_request
+    enable :destroy_issue
+    enable :remove_pages
+  end
 
-    unless project.feature_available?(:issues, user) || project.feature_available?(:merge_requests, user)
-      cannot!(*named_abilities(:label))
-      cannot!(*named_abilities(:milestone))
-    end
+  rule { owner | reporter }.policy do
+    enable :build_download_code
+    enable :build_read_container_image
+  end
 
-    unless project.feature_available?(:snippets, user)
-      cannot!(*named_abilities(:project_snippet))
-    end
+  rule { can?(:guest_access) }.policy do
+    enable :read_project
+    enable :read_board
+    enable :read_list
+    enable :read_wiki
+    enable :read_issue
+    enable :read_label
+    enable :read_milestone
+    enable :read_project_snippet
+    enable :read_project_member
+    enable :read_note
+    enable :create_project
+    enable :create_issue
+    enable :create_note
+    enable :upload_file
+    enable :read_cycle_analytics
+    enable :read_project_snippet
+  end
 
-    unless project.feature_available?(:wiki, user) || project.has_external_wiki?
-      cannot!(*named_abilities(:wiki))
-      cannot!(:download_wiki_code)
-    end
+  rule { can?(:reporter_access) }.policy do
+    enable :download_code
+    enable :download_wiki_code
+    enable :fork_project
+    enable :create_project_snippet
+    enable :update_issue
+    enable :admin_issue
+    enable :admin_label
+    enable :admin_list
+    enable :read_commit_status
+    enable :read_build
+    enable :read_container_image
+    enable :read_pipeline
+    enable :read_pipeline_schedule
+    enable :read_environment
+    enable :read_deployment
+    enable :read_merge_request
+  end
 
-    unless project.feature_available?(:builds, user) && repository_enabled
-      cannot!(*named_abilities(:build))
-      cannot!(*named_abilities(:pipeline) - [:read_pipeline])
-      cannot!(*named_abilities(:pipeline_schedule))
-      cannot!(*named_abilities(:environment))
-      cannot!(*named_abilities(:deployment))
-    end
+  rule { (~anonymous & public_project) | internal_access }.policy do
+    enable :public_user_access
+  end
 
-    unless repository_enabled
-      cannot! :push_code
-      cannot! :delete_protected_branch
-      cannot! :download_code
-      cannot! :fork_project
-      cannot! :read_commit_status
-    end
+  rule { can?(:public_user_access) }.policy do
+    enable :guest_access
+    enable :request_access
+  end
 
-    unless project.container_registry_enabled
-      cannot!(*named_abilities(:container_image))
-    end
+  rule { owner | admin | guest | group_member }.prevent :request_access
+  rule { ~request_access_enabled }.prevent :request_access
+
+  rule { can?(:developer_access) }.policy do
+    enable :admin_merge_request
+    enable :update_merge_request
+    enable :create_commit_status
+    enable :update_commit_status
+    enable :create_build
+    enable :update_build
+    enable :create_pipeline
+    enable :update_pipeline
+    enable :create_pipeline_schedule
+    enable :update_pipeline_schedule
+    enable :create_merge_request
+    enable :create_wiki
+    enable :push_code
+    enable :resolve_note
+    enable :create_container_image
+    enable :update_container_image
+    enable :create_environment
+    enable :create_deployment
   end
 
-  def anonymous_rules
-    return unless project.public?
+  rule { can?(:master_access) }.policy do
+    enable :delete_protected_branch
+    enable :update_project_snippet
+    enable :update_environment
+    enable :update_deployment
+    enable :admin_milestone
+    enable :admin_project_snippet
+    enable :admin_project_member
+    enable :admin_note
+    enable :admin_wiki
+    enable :admin_project
+    enable :admin_commit_status
+    enable :admin_build
+    enable :admin_container_image
+    enable :admin_pipeline
+    enable :admin_pipeline_schedule
+    enable :admin_environment
+    enable :admin_deployment
+    enable :admin_pages
+    enable :read_pages
+    enable :update_pages
+  end
 
-    base_readonly_access!
+  rule { can?(:public_user_access) }.policy do
+    enable :public_access
 
-    # Allow to read builds by anonymous user if guests are allowed
-    can! :read_build if project.public_builds?
+    enable :fork_project
+    enable :build_download_code
+    enable :build_read_container_image
+  end
 
-    disabled_features!
+  rule { archived }.policy do
+    prevent :create_merge_request
+    prevent :push_code
+    prevent :delete_protected_branch
+    prevent :update_merge_request
+    prevent :admin_merge_request
   end
 
-  def block_issues_abilities
-    unless project.feature_available?(:issues, user)
-      cannot! :read_issue if project.default_issues_tracker?
-      cannot! :create_issue
-      cannot! :update_issue
-      cannot! :admin_issue
-    end
+  rule { merge_requests_disabled | repository_disabled }.policy do
+    prevent(*create_read_update_admin(:merge_request))
   end
 
-  def named_abilities(name)
-    [
-      :"read_#{name}",
-      :"create_#{name}",
-      :"update_#{name}",
-      :"admin_#{name}"
-    ]
+  rule { issues_disabled & merge_requests_disabled }.policy do
+    prevent(*create_read_update_admin(:label))
+    prevent(*create_read_update_admin(:milestone))
+  end
+
+  rule { snippets_disabled }.policy do
+    prevent(*create_read_update_admin(:project_snippet))
+  end
+
+  rule { wiki_disabled & ~has_external_wiki }.policy do
+    prevent(*create_read_update_admin(:wiki))
+    prevent(:download_wiki_code)
+  end
+
+  rule { builds_disabled | repository_disabled }.policy do
+    prevent(*create_read_update_admin(:build))
+    prevent(*(create_read_update_admin(:pipeline) - [:read_pipeline]))
+    prevent(*create_read_update_admin(:pipeline_schedule))
+    prevent(*create_read_update_admin(:environment))
+    prevent(*create_read_update_admin(:deployment))
+  end
+
+  rule { repository_disabled }.policy do
+    prevent :push_code
+    prevent :push_code_to_protected_branches
+    prevent :download_code
+    prevent :fork_project
+    prevent :read_commit_status
+  end
+
+  rule { container_registry_disabled }.policy do
+    prevent(*create_read_update_admin(:container_image))
+  end
+
+  rule { anonymous & ~public_project }.prevent_all
+  rule { public_project }.enable(:public_access)
+
+  rule { can?(:public_access) }.policy do
+    enable :read_project
+    enable :read_board
+    enable :read_list
+    enable :read_wiki
+    enable :read_label
+    enable :read_milestone
+    enable :read_project_snippet
+    enable :read_project_member
+    enable :read_merge_request
+    enable :read_note
+    enable :read_pipeline
+    enable :read_pipeline_schedule
+    enable :read_commit_status
+    enable :read_container_image
+    enable :download_code
+    enable :download_wiki_code
+    enable :read_cycle_analytics
+
+    # NOTE: may be overridden by IssuePolicy
+    enable :read_issue
+  end
+
+  rule { public_builds }.policy do
+    enable :read_build
+  end
+
+  rule { public_builds & can?(:guest_access) }.policy do
+    enable :read_pipeline
+    enable :read_pipeline_schedule
+  end
+
+  rule { issues_disabled }.policy do
+    prevent :create_issue
+    prevent :update_issue
+    prevent :admin_issue
+  end
+
+  rule { issues_disabled & default_issues_tracker }.policy do
+    prevent :read_issue
   end
 
   private
 
-  def project_group_member?(user)
+  def is_team_member?
+    return false if @user.nil?
+
+    greedy_load_subject = false
+
+    # when scoping by subject, we want to be greedy
+    # and load *all* the members with one query.
+    greedy_load_subject ||= DeclarativePolicy.preferred_scope == :subject
+
+    # in this case we're likely to have loaded #members already
+    # anyways, and #member? would fail with an error
+    greedy_load_subject ||= !@user.persisted?
+
+    if greedy_load_subject
+      project.team.members.include?(user)
+    else
+      # otherwise we just make a specific query for
+      # this particular user.
+      team_access_level >= Gitlab::Access::GUEST
+    end
+  end
+
+  def project_group_member?
+    return false if @user.nil?
+
     project.group &&
       (
-        project.group.members_with_parents.exists?(user_id: user.id) ||
-        project.group.requesters.exists?(user_id: user.id)
+        project.group.members_with_parents.exists?(user_id: @user.id) ||
+        project.group.requesters.exists?(user_id: @user.id)
       )
   end
 
-  def access_requestable?
-    project.request_access_enabled &&
-      !owner? &&
-      !user.admin? &&
-      !project.team.member?(user) &&
-      !project_group_member?(user)
-  end
-
-  # A base set of abilities for read-only users, which
-  # is then augmented as necessary for anonymous and other
-  # read-only users.
-  def base_readonly_access!
-    can! :read_project
-    can! :read_board
-    can! :read_list
-    can! :read_wiki
-    can! :read_label
-    can! :read_milestone
-    can! :read_project_snippet
-    can! :read_project_member
-    can! :read_merge_request
-    can! :read_note
-    can! :read_pipeline
-    can! :read_pipeline_schedule
-    can! :read_commit_status
-    can! :read_container_image
-    can! :download_code
-    can! :download_wiki_code
-    can! :read_cycle_analytics
+  def team_access_level
+    return -1 if @user.nil?
 
-    # NOTE: may be overridden by IssuePolicy
-    can! :read_issue
+    # NOTE: max_member_access has its own cache
+    project.team.max_member_access(@user.id)
+  end
+
+  def feature_available?(feature)
+    case project.project_feature.access_level(feature)
+    when ProjectFeature::DISABLED
+      false
+    when ProjectFeature::PRIVATE
+      guest? || admin?
+    else
+      true
+    end
+  end
+
+  def project
+    @subject
   end
 end