From e84c155f092600b90be291f0f7bb649811fa53fb Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Tue, 12 Apr 2016 16:16:39 +0200 Subject: WIP --- app/models/ability.rb | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'app/models/ability.rb') diff --git a/app/models/ability.rb b/app/models/ability.rb index c0bf6def7c5..ec5ac54c277 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -195,6 +195,7 @@ class Ability :admin_label, :read_commit_status, :read_build, + :read_pipeline, ] end @@ -206,6 +207,8 @@ class Ability :update_commit_status, :create_build, :update_build, + :create_pipeline, + :update_pipeline, :create_merge_request, :create_wiki, :push_code @@ -234,7 +237,8 @@ class Ability :admin_wiki, :admin_project, :admin_commit_status, - :admin_build + :admin_build, + :admin_pipeline ] end @@ -277,6 +281,7 @@ class Ability unless project.builds_enabled rules += named_abilities('build') + rules += named_abilities('pipeline') end rules -- cgit v1.2.1 From f41a3e24d20b26b53c5321571ef89f441c32aa4d Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Mon, 18 Apr 2016 08:13:16 -0400 Subject: Added authentication service for docker registry --- app/models/ability.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'app/models/ability.rb') diff --git a/app/models/ability.rb b/app/models/ability.rb index 6103a2947e2..ba27b9a9b14 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -203,6 +203,7 @@ class Ability :admin_label, :read_commit_status, :read_build, + :read_image, ] end @@ -216,7 +217,9 @@ class Ability :update_build, :create_merge_request, :create_wiki, - :push_code + :push_code, + :create_image, + :update_image, ] end @@ -242,7 +245,8 @@ class Ability :admin_wiki, :admin_project, :admin_commit_status, - :admin_build + :admin_build, + :admin_image ] end -- cgit v1.2.1 From 0094d8f19644152a66b9d21b8cd86f797199311f Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Mon, 9 May 2016 20:29:57 +0300 Subject: Rename `images` to `container_registry` --- app/models/ability.rb | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'app/models/ability.rb') diff --git a/app/models/ability.rb b/app/models/ability.rb index ba27b9a9b14..59d5195f5b9 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -203,7 +203,7 @@ class Ability :admin_label, :read_commit_status, :read_build, - :read_image, + :read_container_registry, ] end @@ -218,8 +218,8 @@ class Ability :create_merge_request, :create_wiki, :push_code, - :create_image, - :update_image, + :create_container_registry, + :update_container_registry, ] end @@ -246,7 +246,7 @@ class Ability :admin_project, :admin_commit_status, :admin_build, - :admin_image + :admin_container_registry, ] end @@ -291,6 +291,10 @@ class Ability rules += named_abilities('build') end + unless project.container_registry_enabled + rules += named_abilities('container_registry') + end + rules end -- cgit v1.2.1 From 715a8cfa2f4639bf36b604f6e3eb2814187367c0 Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Sat, 14 May 2016 14:22:45 -0500 Subject: Fix authentication service --- app/models/ability.rb | 1 + 1 file changed, 1 insertion(+) (limited to 'app/models/ability.rb') diff --git a/app/models/ability.rb b/app/models/ability.rb index 59d5195f5b9..74321240468 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -61,6 +61,7 @@ class Ability :read_merge_request, :read_note, :read_commit_status, + :read_container_registry, :download_code ] -- cgit v1.2.1 From f4f9184a01bc7442411bbcffd9b6a86784fa5f53 Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Sat, 14 May 2016 18:23:31 -0500 Subject: Rename JWT to JSONWebToken --- app/models/ability.rb | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'app/models/ability.rb') diff --git a/app/models/ability.rb b/app/models/ability.rb index 74321240468..f70268d3138 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -61,7 +61,7 @@ class Ability :read_merge_request, :read_note, :read_commit_status, - :read_container_registry, + :read_container_image, :download_code ] @@ -204,7 +204,7 @@ class Ability :admin_label, :read_commit_status, :read_build, - :read_container_registry, + :read_container_image, ] end @@ -219,8 +219,8 @@ class Ability :create_merge_request, :create_wiki, :push_code, - :create_container_registry, - :update_container_registry, + :create_container_image, + :update_container_image, ] end @@ -247,7 +247,7 @@ class Ability :admin_project, :admin_commit_status, :admin_build, - :admin_container_registry, + :admin_container_image, ] end @@ -293,7 +293,7 @@ class Ability end unless project.container_registry_enabled - rules += named_abilities('container_registry') + rules += named_abilities('container_image') end rules -- cgit v1.2.1 From cd26cfbc27218b734a1a78836084f2205a18c580 Mon Sep 17 00:00:00 2001 From: Kamil Trzcinski Date: Sat, 21 May 2016 17:58:11 -0500 Subject: Allow anonymous user to access pipelines --- app/models/ability.rb | 1 + 1 file changed, 1 insertion(+) (limited to 'app/models/ability.rb') diff --git a/app/models/ability.rb b/app/models/ability.rb index f7ea2fd2b1f..b354b1990c7 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -60,6 +60,7 @@ class Ability :read_project_member, :read_merge_request, :read_note, + :read_pipeline, :read_commit_status, :read_container_image, :download_code -- cgit v1.2.1 From 86cf9dd2535adac3d739edbb845f7388e42f447d Mon Sep 17 00:00:00 2001 From: Grzegorz Bizon Date: Mon, 30 May 2016 12:34:25 +0200 Subject: Enable Lint/LiteralInCondition rubocop cop Checks of literals used in conditions. See #17478 --- app/models/ability.rb | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) (limited to 'app/models/ability.rb') diff --git a/app/models/ability.rb b/app/models/ability.rb index b354b1990c7..8c5b255223d 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -25,18 +25,17 @@ class Ability # List of possible abilities for anonymous user def anonymous_abilities(user, subject) - case true - when subject.is_a?(PersonalSnippet) + if subject.is_a?(PersonalSnippet) anonymous_personal_snippet_abilities(subject) - when subject.is_a?(ProjectSnippet) + elsif subject.is_a?(ProjectSnippet) anonymous_project_snippet_abilities(subject) - when subject.is_a?(CommitStatus) + elsif subject.is_a?(CommitStatus) anonymous_commit_status_abilities(subject) - when subject.is_a?(Project) || subject.respond_to?(:project) + elsif subject.is_a?(Project) || subject.respond_to?(:project) anonymous_project_abilities(subject) - when subject.is_a?(Group) || subject.respond_to?(:group) + elsif subject.is_a?(Group) || subject.respond_to?(:group) anonymous_group_abilities(subject) - when subject.is_a?(User) + elsif subject.is_a?(User) anonymous_user_abilities else [] -- cgit v1.2.1 From 580d250166d97bd5c2b0526be737d02806e577c2 Mon Sep 17 00:00:00 2001 From: Yorick Peterse Date: Thu, 26 May 2016 13:38:28 +0200 Subject: Refactor Participable There are several changes to this module: 1. The use of an explicit stack in Participable#participants 2. Proc behaviour has been changed 3. Batch permissions checking == Explicit Stack Participable#participants no longer uses recursion to process "self" and all child objects, instead it uses an Array and processes objects in breadth-first order. This allows us to for example create a single Gitlab::ReferenceExtractor instance and pass this to any Procs. Re-using a ReferenceExtractor removes the need for running potentially many SQL queries every time a Proc is called on a new object. == Proc Behaviour Changed Previously a Proc in Participable was expected to return an Array of User instances. This has been changed and instead it's now expected that a Proc modifies the Gitlab::ReferenceExtractor passed to it. The return value of the Proc is ignored. == Permissions Checking The method Participable#participants uses Ability.users_that_can_read_project to check if the returned users have access to the project of "self" _without_ running multiple SQL queries for every user. --- app/models/ability.rb | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'app/models/ability.rb') diff --git a/app/models/ability.rb b/app/models/ability.rb index b354b1990c7..2a433afe3a6 100644 --- a/app/models/ability.rb +++ b/app/models/ability.rb @@ -23,6 +23,28 @@ class Ability end.concat(global_abilities(user)) end + # Given a list of users and a project this method returns the users that can + # read the given project. + def users_that_can_read_project(users, project) + if project.public? + users + else + users.select do |user| + if user.admin? + true + elsif project.internal? && !user.external? + true + elsif project.owner == user + true + elsif project.team.members.include?(user) + true + else + false + end + end + end + end + # List of possible abilities for anonymous user def anonymous_abilities(user, subject) case true -- cgit v1.2.1