Merge branch 'refactor/add-policies' into 'master'

Refactor ability.rb into Policies

## What does this MR do?
Factors out `ability.rb` into a new abstraction - the "policy" (stored in `app/policies`). A policy is a class named `#{class_name}Policy` (looked up automatically as needed) that implements `rules` as follows:

``` ruby
class ThingPolicy < BasePolicy
  def rules
    @user # this is a user to determine abilities for, optionally nil in the anonymous case
    @subject # this is the subject of the ability, guaranteed to be an instance of `Thing`
    can! :some_ability # grant the :some_ability permission
    cannot! :some_ability # ensure that :some_ability is not allowed. this overrides any `can!` that is called before or after
    delegate! @subject.other_thing # merge the abilities (can!) and prohibitions (cannot!) from `@subject.other_thing`
    can? :some_ability # test whether, so far, :some_ability is allowed
  end

  def anonymous_rules
    # optional. if not implemented `rules` is called where `@user` is nil. otherwise this method is called when `@user` is nil.
  end
end
```

See merge request !5796

3 files changed, 6 insertions, 6 deletions

diff --git a/spec/controllers/projects/boards/issues_controller_spec.rb b/spec/controllers/projects/boards/issues_controller_spec.rb
index d0ad5e26dbd..2896636db5a 100644
--- a/spec/controllers/projects/boards/issues_controller_spec.rb
+++ b/spec/controllers/projects/boards/issues_controller_spec.rb
@@ -41,8 +41,8 @@ describe Projects::Boards::IssuesController do
 
     context 'with unauthorized user' do
       before do
-        allow(Ability.abilities).to receive(:allowed?).with(user, :read_project, project).and_return(true)
-        allow(Ability.abilities).to receive(:allowed?).with(user, :read_issue, project).and_return(false)
+        allow(Ability).to receive(:allowed?).with(user, :read_project, project).and_return(true)
+        allow(Ability).to receive(:allowed?).with(user, :read_issue, project).and_return(false)
       end
 
       it 'returns a successful 403 response' do
diff --git a/spec/controllers/projects/boards/lists_controller_spec.rb b/spec/controllers/projects/boards/lists_controller_spec.rb
index 261f35f28ed..d687dea3c3b 100644
--- a/spec/controllers/projects/boards/lists_controller_spec.rb
+++ b/spec/controllers/projects/boards/lists_controller_spec.rb
@@ -35,8 +35,8 @@ describe Projects::Boards::ListsController do
 
     context 'with unauthorized user' do
       before do
-        allow(Ability.abilities).to receive(:allowed?).with(user, :read_project, project).and_return(true)
-        allow(Ability.abilities).to receive(:allowed?).with(user, :read_list, project).and_return(false)
+        allow(Ability).to receive(:allowed?).with(user, :read_project, project).and_return(true)
+        allow(Ability).to receive(:allowed?).with(user, :read_list, project).and_return(false)
       end
 
       it 'returns a forbidden 403 response' do
diff --git a/spec/controllers/projects/boards_controller_spec.rb b/spec/controllers/projects/boards_controller_spec.rb
index 75a6d39e82c..6f6e608e1f3 100644
--- a/spec/controllers/projects/boards_controller_spec.rb
+++ b/spec/controllers/projects/boards_controller_spec.rb
@@ -23,8 +23,8 @@ describe Projects::BoardsController do
 
     context 'with unauthorized user' do
       before do
-        allow(Ability.abilities).to receive(:allowed?).with(user, :read_project, project).and_return(true)
-        allow(Ability.abilities).to receive(:allowed?).with(user, :read_board, project).and_return(false)
+        allow(Ability).to receive(:allowed?).with(user, :read_project, project).and_return(true)
+        allow(Ability).to receive(:allowed?).with(user, :read_board, project).and_return(false)
       end
 
       it 'returns a successful 404 response' do