add support for anonymous abilities

2 files changed, 61 insertions, 17 deletions

diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb
index 3f52b0b005a..10ce38329c4 100644
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -1,14 +1,21 @@
 class BasePolicy
+  def self.abilities(user, subject)
+    new(user, subject).abilities
+  end
+
+  attr_reader :user, :subject
   def initialize(user, subject)
     @user = user
     @subject = subject
   end
 
   def abilities
-    @can = Set.new
-    @cannot = Set.new
-    generate!
-    @can - @cannot
+    return anonymous_abilities if @user.nil?
+    collect_rules { rules }
+  end
+
+  def anonymous_abilities
+    collect_rules { anonymous_rules }
   end
 
   def generate!
@@ -22,4 +29,15 @@ class BasePolicy
   def cannot!(*rules)
     @cannot.merge(rules)
   end
+
+  private
+
+  def collect_rules(&b)
+    return Set.new if @subject.nil?
+
+    @can = Set.new
+    @cannot = Set.new
+    yield
+    @can - @cannot
+  end
 end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 1e82070e62a..95e8b71c102 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -28,6 +28,7 @@ class ProjectPolicy < BasePolicy
     can! :update_issue
     can! :admin_issue
     can! :admin_label
+    can! :admin_list
     can! :read_commit_status
     can! :read_build
     can! :read_container_image
@@ -48,6 +49,7 @@ class ProjectPolicy < BasePolicy
     can! :create_merge_request
     can! :create_wiki
     can! :push_code
+    can! :resolve_note
     can! :create_container_image
     can! :update_container_image
     can! :create_environment
@@ -98,8 +100,8 @@ class ProjectPolicy < BasePolicy
   end
 
   # Push abilities on the users team role
-  def team_access!
-    access = project.team.max_member_access(@user.id)
+  def team_access!(user)
+    access = project.team.max_member_access(user.id)
 
     return if access < Gitlab::Access::GUEST
     guest_access!
@@ -140,7 +142,7 @@ class ProjectPolicy < BasePolicy
       cannot!(*named_abilities(:project_snippet))
     end
 
-    unless project.wiki_enabled
+    unless project.has_wiki?
       cannot!(*named_abilities(:wiki))
     end
 
@@ -156,16 +158,16 @@ class ProjectPolicy < BasePolicy
     end
   end
 
-  def generate!
-    team_access!
+  def rules
+    team_access!(user)
 
-    owner = @user.admin? ||
-            project.owner == @user ||
-            (project.group && project.group.has_owner?(@user))
+    owner = user.admin? ||
+            project.owner == user ||
+            (project.group && project.group.has_owner?(user))
 
     owner_access! if owner
 
-    if project.public? || (project.internal? && !@user.external?)
+    if project.public? || (project.internal? && !user.external?)
       guest_access!
       public_access!
 
@@ -173,7 +175,7 @@ class ProjectPolicy < BasePolicy
       can! :read_build if project.public_builds?
 
       if project.request_access_enabled &&
-         !(owner || project.team.member?(@user) || project_group_member?)
+         !(owner || project.team.member?(user) || project_group_member?(user))
         can! :request_access
       end
     end
@@ -183,11 +185,35 @@ class ProjectPolicy < BasePolicy
     disabled_features!
   end
 
-  def project_group_member?
+  def anonymous_rules
+    return unless project.public?
+
+    can! :read_project
+    can! :read_board
+    can! :read_list
+    can! :read_wiki
+    can! :read_label
+    can! :read_milestone
+    can! :read_project_snippet
+    can! :read_project_member
+    can! :read_merge_request
+    can! :read_note
+    can! :read_pipeline
+    can! :read_commit_status
+    can! :read_container_image
+    can! :download_code
+
+    # Allow to read builds by anonymous user if guests are allowed
+    can! :read_build if project.public_builds?
+
+    disabled_features!
+  end
+
+  def project_group_member?(user)
     project.group &&
     (
-      project.group.members.exists?(user_id: @user.id) ||
-      project.group.requesters.exists?(user_id: @user.id)
+      project.group.members.exists?(user_id: user.id) ||
+      project.group.requesters.exists?(user_id: user.id)
     )
   end