diff --git a/app/models/member.rb b/app/models/member.rb index b8413da94b..001dd49c88 100644 --- a/app/models/member.rb +++ b/app/models/member.rb @@ -38,10 +38,6 @@ class Member < ApplicationRecord # rubocop:disable Metrics/ClassLength } class << self - DEFAULT_CAN_OPTIONS = { - include_group_links: true - }.freeze - def access_levels(member) case member.access_level when AccessLevel::OWNER @@ -64,121 +60,10 @@ def effective_access_level(namespace, user, include_group_links = true) # ruboco access_level.nil? ? AccessLevel::NO_ACCESS : access_level end - def can_modify?(user, object_namespace, include_group_links = true) # rubocop:disable Style/OptionalBooleanParameter - Member::AccessLevel.manageable.include?( - effective_access_level(object_namespace, user, include_group_links) - ) - end - - def can_create?(user, object_namespace) - Member::AccessLevel.manageable.include?( - effective_access_level(object_namespace, user) - ) - end - - def can_view?(user, object_namespace, **options) - options = DEFAULT_CAN_OPTIONS.merge(options) - effective_access_level = effective_access_level(object_namespace, user, options[:include_group_links]) - if effective_access_level == Member::AccessLevel::UPLOADER && - !Current.token&.active? - return false - end - - effective_access_level > Member::AccessLevel::NO_ACCESS - end - - def can_destroy?(user, object_namespace) - namespace_owners_include_user?(user, object_namespace) - end - - def can_transfer?(user, object_namespace) - namespace_owners_include_user?(user, object_namespace) - end - - def can_transfer_into_namespace?(user, object_namespace, include_group_links = true) # rubocop:disable Style/OptionalBooleanParameter - Member::AccessLevel.manageable.include?( - effective_access_level(object_namespace, user, include_group_links) - ) - end - - def can_transfer_sample?(user, object_namespace) - Member::AccessLevel.manageable.include?( - effective_access_level(object_namespace, user, false) - ) - end - - def can_transfer_sample_to_project?(user, object_namespace, include_group_links = true) # rubocop:disable Style/OptionalBooleanParameter - can_transfer_into_namespace?(user, object_namespace, include_group_links) - end - - def can_clone_sample?(user, object_namespace, include_group_links = true) # rubocop:disable Style/OptionalBooleanParameter - Member::AccessLevel.manageable.include?( - effective_access_level(object_namespace, user, include_group_links) - ) - end - - def can_clone_sample_to_project?(user, object_namespace, include_group_links = true) # rubocop:disable Style/OptionalBooleanParameter - Member::AccessLevel.manageable.include?( - effective_access_level(object_namespace, user, include_group_links) - ) - end - - def can_export_data?(user, object_namespace) - effective_access_level(object_namespace, user) >= Member::AccessLevel::ANALYST - end - - def can_link_namespace_to_group?(user, object_namespace) - can_modify?(user, object_namespace) - end - - def can_unlink_namespace_from_group?(user, object_namespace) - can_modify?(user, object_namespace) - end - - def can_update_namespace_with_group_link?(user, object_namespace) - can_modify?(user, object_namespace) - end - - def can_view_workflows?(user, object_namespace) - effective_access_level(object_namespace, user) >= Member::AccessLevel::ANALYST - end - - def can_submit_workflow?(user, object_namespace) - effective_access_level(object_namespace, user) >= Member::AccessLevel::ANALYST - end - - def namespace_owners_include_user?(user, namespace) - effective_access_level(namespace, user) == Member::AccessLevel::OWNER - end - def user_has_namespace_maintainer_access?(user, namespace, include_group_links = true) # rubocop:disable Style/OptionalBooleanParameter effective_access_level(namespace, user, include_group_links) == Member::AccessLevel::MAINTAINER end - def can_create_export?(user, object_namespace) - effective_access_level(object_namespace, user) >= Member::AccessLevel::ANALYST - end - - def can_create_sample?(user, object_namespace) - effective_access_level = effective_access_level(object_namespace, user) - - return true if (effective_access_level == Member::AccessLevel::UPLOADER) && Current.token&.active? - - Member::AccessLevel.manageable.include?( - effective_access_level - ) - end - - def can_modify_sample?(user, object_namespace) - effective_access_level = effective_access_level(object_namespace, user) - - return true if (effective_access_level == Member::AccessLevel::UPLOADER) && Current.token&.active? - - Member::AccessLevel.manageable.include?( - effective_access_level - ) - end - def access_level_in_namespace_group_links(user, namespace) effective_namespace_group_link = NamespaceGroupLink.for_namespace_and_ancestors(namespace) .where(group: user.groups.self_and_descendants) @@ -216,28 +101,6 @@ def manager_emails(namespace, locale, access_level = Member::AccessLevel.managea manager_emails end - def can_view_attachments?(user, object_namespace, include_group_links = true) # rubocop:disable Style/OptionalBooleanParameter - effective_access_level(object_namespace, user, include_group_links) >= Member::AccessLevel::ANALYST - end - - def can_create_attachment?(user, object_namespace, include_group_links = true) # rubocop:disable Style/OptionalBooleanParameter - effective_access_level = effective_access_level(object_namespace, user, include_group_links) - return true if (effective_access_level == Member::AccessLevel::UPLOADER) && Current.token&.active? - - Member::AccessLevel.manageable.include?( - effective_access_level - ) - end - - def can_destroy_attachment?(user, object_namespace, include_group_links = true) # rubocop:disable Style/OptionalBooleanParameter - effective_access_level = effective_access_level(object_namespace, user, include_group_links) - return true if (effective_access_level == Member::AccessLevel::UPLOADER) && Current.token&.active? - - Member::AccessLevel.manageable.include?( - effective_access_level - ) - end - def ransackable_attributes(_auth_object = nil) %w[access_level created_at expires_at] end diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 220d9004db..c8d6f2b2c0 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -18,7 +18,6 @@ def token_active(access_level) end def activity? - # return true if Member.can_view?(user, record) == true if effective_access_level > Member::AccessLevel::NO_ACCESS && effective_access_level != Member::AccessLevel::UPLOADER return true @@ -29,7 +28,6 @@ def activity? end def create? - # return true if Member.can_create?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -37,7 +35,6 @@ def create? end def create_subgroup? - # return true if Member.can_create?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -45,7 +42,6 @@ def create_subgroup? end def view_history? - # return true if Member.can_view?(user, record) == true if effective_access_level > Member::AccessLevel::NO_ACCESS && effective_access_level != Member::AccessLevel::UPLOADER return true @@ -56,7 +52,6 @@ def view_history? end def destroy? - # return true if Member.can_destroy?(user, record) == true return true if effective_access_level == Member::AccessLevel::OWNER details[:name] = record.name @@ -64,7 +59,6 @@ def destroy? end def edit? - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -72,7 +66,6 @@ def edit? end def new? - # return true if Member.can_create?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -80,7 +73,6 @@ def new? end def read? - # return true if Member.can_view?(user, record) == true if effective_access_level > Member::AccessLevel::NO_ACCESS && effective_access_level != Member::AccessLevel::UPLOADER return true @@ -92,7 +84,6 @@ def read? end def transfer? - # return true if Member.can_transfer?(user, record) return true if effective_access_level == Member::AccessLevel::OWNER details[:name] = record.name @@ -100,7 +91,6 @@ def transfer? end def transfer_into_namespace? - # return true if Member.can_transfer_into_namespace?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -108,7 +98,6 @@ def transfer_into_namespace? end def update? - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -116,7 +105,6 @@ def update? end def member_listing? - # return true if Member.can_view?(user, record) == true if effective_access_level > Member::AccessLevel::NO_ACCESS && effective_access_level != Member::AccessLevel::UPLOADER return true @@ -127,7 +115,6 @@ def member_listing? end def create_member? - # return true if Member.can_create?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -135,7 +122,6 @@ def create_member? end def destroy_member? - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -143,7 +129,6 @@ def destroy_member? end def update_member? - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -151,7 +136,6 @@ def update_member? end def sample_listing? - # return true if Member.can_view?(user, record) == true if effective_access_level > Member::AccessLevel::NO_ACCESS && effective_access_level != Member::AccessLevel::UPLOADER return true @@ -162,7 +146,6 @@ def sample_listing? end def link_namespace_with_group? - # return true if Member.can_link_namespace_to_group?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -170,7 +153,6 @@ def link_namespace_with_group? end def unlink_namespace_with_group? - # return true if Member.can_unlink_namespace_from_group?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -178,7 +160,6 @@ def unlink_namespace_with_group? end def update_namespace_with_group_link? - # return true if Member.can_update_namespace_with_group_link?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -186,7 +167,6 @@ def update_namespace_with_group_link? end def submit_workflow? - # return true if Member.can_submit_workflow?(user, record) == true return true if effective_access_level >= Member::AccessLevel::ANALYST details[:name] = record.name @@ -194,7 +174,6 @@ def submit_workflow? end def export_data? - # return true if Member.can_export_data?(user, record) == true return true if effective_access_level >= Member::AccessLevel::ANALYST details[:name] = record.name @@ -202,7 +181,6 @@ def export_data? end def create_bot_accounts? - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -210,7 +188,6 @@ def create_bot_accounts? end def destroy_bot_accounts? - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -218,7 +195,6 @@ def destroy_bot_accounts? end def view_bot_accounts? - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -226,7 +202,6 @@ def view_bot_accounts? end def view_bot_personal_access_tokens? - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -234,7 +209,6 @@ def view_bot_personal_access_tokens? end def generate_bot_personal_access_token? - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -242,7 +216,6 @@ def generate_bot_personal_access_token? end def revoke_bot_personal_access_token? - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -250,7 +223,6 @@ def revoke_bot_personal_access_token? end def update_sample_metadata? - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -258,7 +230,6 @@ def update_sample_metadata? end def view_attachments? - # return true if Member.can_view_attachments?(user, record) == true return true if effective_access_level >= Member::AccessLevel::ANALYST details[:name] = record.name @@ -266,7 +237,6 @@ def view_attachments? end def create_attachment? - # return true if Member.can_create_attachment?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) return true if token_active(effective_access_level) == true @@ -275,7 +245,6 @@ def create_attachment? end def destroy_attachment? - # return true if Member.can_destroy_attachment?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) return true if token_active(effective_access_level) == true diff --git a/app/policies/namespaces/project_namespace_policy.rb b/app/policies/namespaces/project_namespace_policy.rb index 2ebabc140a..4d8d21deb7 100644 --- a/app/policies/namespaces/project_namespace_policy.rb +++ b/app/policies/namespaces/project_namespace_policy.rb @@ -12,8 +12,6 @@ def effective_access_level end def update? - # return true if record.parent.user_namespace? && record.parent.owner == user - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -21,8 +19,6 @@ def update? end def member_listing? - # return true if record.parent.user_namespace? && record.parent.owner == user - # return true if Member.can_view?(user, record) == true if effective_access_level > Member::AccessLevel::NO_ACCESS && effective_access_level != Member::AccessLevel::UPLOADER return true @@ -33,8 +29,6 @@ def member_listing? end def create_member? - # return true if record.parent.user_namespace? && record.parent.owner == user - # return true if Member.can_create?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -42,8 +36,6 @@ def create_member? end def destroy_member? - # return true if record.parent.user_namespace? && record.parent.owner == user - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -51,8 +43,6 @@ def destroy_member? end def update_member? - # return true if record.parent.user_namespace? && record.parent.owner == user - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -60,8 +50,6 @@ def update_member? end def link_namespace_with_group? - # return true if record.parent.user_namespace? && record.parent.owner == user - # return true if Member.can_link_namespace_to_group?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -69,8 +57,6 @@ def link_namespace_with_group? end def unlink_namespace_with_group? - # return true if record.parent.user_namespace? && record.parent.owner == user - # return true if Member.can_unlink_namespace_from_group?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -78,8 +64,6 @@ def unlink_namespace_with_group? end def update_namespace_with_group_link? - # return true if record.parent.user_namespace? && record.parent.owner == user - # return true if Member.can_update_namespace_with_group_link?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -87,8 +71,6 @@ def update_namespace_with_group_link? end def create_bot_accounts? - # return true if record.parent.user_namespace? && record.parent.owner == user - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -96,8 +78,6 @@ def create_bot_accounts? end def destroy_bot_accounts? - # return true if record.parent.user_namespace? && record.parent.owner == user - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -105,8 +85,6 @@ def destroy_bot_accounts? end def view_bot_accounts? - # return true if record.parent.user_namespace? && record.parent.owner == user - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -114,8 +92,6 @@ def view_bot_accounts? end def view_bot_personal_access_tokens? - # return true if record.parent.user_namespace? && record.parent.owner == user - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -123,8 +99,6 @@ def view_bot_personal_access_tokens? end def generate_bot_personal_access_token? - # return true if record.parent.user_namespace? && record.parent.owner == user - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -132,8 +106,6 @@ def generate_bot_personal_access_token? end def revoke_bot_personal_access_token? - # return true if record.parent.user_namespace? && record.parent.owner == user - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -141,8 +113,6 @@ def revoke_bot_personal_access_token? end def create_automated_workflow_executions? - # return true if record.parent.user_namespace? && record.parent.owner == user - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -150,8 +120,6 @@ def create_automated_workflow_executions? end def destroy_automated_workflow_executions? - # return true if record.parent.user_namespace? && record.parent.owner == user - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -159,8 +127,6 @@ def destroy_automated_workflow_executions? end def update_automated_workflow_executions? - # return true if record.parent.user_namespace? && record.parent.owner == user - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -168,8 +134,6 @@ def update_automated_workflow_executions? end def view_automated_workflow_executions? - # return true if record.parent.user_namespace? && record.parent.owner == user - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -177,7 +141,6 @@ def view_automated_workflow_executions? end def submit_workflow? - # return true if Member.can_submit_workflow?(user, record) == true return true if effective_access_level >= Member::AccessLevel::ANALYST details[:name] = record.name @@ -185,7 +148,6 @@ def submit_workflow? end def view_workflow_executions? - # return true if Member.can_view_workflows?(user, record) == true return true if effective_access_level >= Member::AccessLevel::ANALYST details[:name] = record.name @@ -193,7 +155,6 @@ def view_workflow_executions? end def export_data? - # return true if Member.can_export_data?(user, record) == true return true if effective_access_level >= Member::AccessLevel::ANALYST details[:name] = record.name @@ -201,7 +162,6 @@ def export_data? end def update_sample_metadata? - # return true if Member.can_modify?(user, record) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index f37d742c67..bef6b9ea5e 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -30,8 +30,6 @@ def token_active(access_level) end def activity? - # return true if record.namespace.parent.user_namespace? && record.namespace.parent.owner == user - # return true if Member.can_view?(user, record.namespace) == true if effective_access_level > Member::AccessLevel::NO_ACCESS && effective_access_level != Member::AccessLevel::UPLOADER return true @@ -42,8 +40,6 @@ def activity? end def view_history? - # return true if record.namespace.parent.user_namespace? && record.namespace.parent.owner == user - # return true if Member.can_view?(user, record.namespace) == true if effective_access_level > Member::AccessLevel::NO_ACCESS && effective_access_level != Member::AccessLevel::UPLOADER return true @@ -54,8 +50,6 @@ def view_history? end def destroy? - # return true if record.namespace.parent.user_namespace? && record.namespace.parent.owner == user - # return true if Member.can_destroy?(user, record.namespace) == true return true if effective_access_level == Member::AccessLevel::OWNER details[:name] = record.name @@ -63,8 +57,6 @@ def destroy? end def edit? - # return true if record.namespace.parent.user_namespace? && record.namespace.parent.owner == user - # return true if Member.can_modify?(user, record.namespace) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -72,8 +64,6 @@ def edit? end def new? - # return true if record.namespace.parent.user_namespace? && record.namespace.parent.owner == user - # return true if Member.can_create?(user, record.namespace) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.namespace.parent.name @@ -82,8 +72,6 @@ def new? end def read? - # return true if record.namespace.parent.user_namespace? && record.namespace.parent.owner == user - # return true if Member.can_view?(user, record.namespace) == true if (effective_access_level > Member::AccessLevel::NO_ACCESS) && effective_access_level != Member::AccessLevel::UPLOADER return true @@ -95,8 +83,6 @@ def read? end def transfer? - # return true if record.namespace.parent.user_namespace? && record.namespace.parent.owner == user - # return true if Member.can_transfer?(user, record.namespace) return true if effective_access_level == Member::AccessLevel::OWNER details[:name] = record.name @@ -104,8 +90,6 @@ def transfer? end def update? - # return true if record.namespace.parent.user_namespace? && record.namespace.parent.owner == user - # return true if Member.can_modify?(user, record.namespace) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -113,8 +97,6 @@ def update? end def sample_listing? - # return true if record.namespace.parent.user_namespace? && record.namespace.parent.owner == user - # return true if Member.can_view?(user, record.namespace) == true if effective_access_level > Member::AccessLevel::NO_ACCESS && effective_access_level != Member::AccessLevel::UPLOADER return true @@ -125,8 +107,6 @@ def sample_listing? end def create_sample? - # return true if record.namespace.parent.user_namespace? && record.namespace.parent.owner == user - # return true if Member.can_create_sample?(user, record.namespace) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) return true if token_active(effective_access_level) == true @@ -135,8 +115,6 @@ def create_sample? end def destroy_sample? - # return true if record.namespace.parent.user_namespace? && record.namespace.parent.owner == user - # return true if Member.namespace_owners_include_user?(user, record.namespace) == true return true if effective_access_level == Member::AccessLevel::OWNER details[:name] = record.name @@ -144,8 +122,6 @@ def destroy_sample? end def read_sample? - # return true if record.namespace.parent.user_namespace? && record.namespace.parent.owner == user - # return true if Member.can_view?(user, record.namespace) == true if effective_access_level > Member::AccessLevel::NO_ACCESS && effective_access_level != Member::AccessLevel::UPLOADER return true @@ -157,8 +133,6 @@ def read_sample? end def update_sample? - # return true if record.namespace.parent.user_namespace? && record.namespace.parent.owner == user - # return true if Member.can_modify_sample?(user, record.namespace) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) return true if token_active(effective_access_level) == true @@ -167,7 +141,6 @@ def update_sample? end def transfer_sample? - # return true if Member.can_transfer_sample?(user, record.namespace) == true return true if Member::AccessLevel.manageable.include?(effective_access_level(false)) details[:name] = record.name @@ -175,10 +148,6 @@ def transfer_sample? end def transfer_sample_into_project? - # return true if Member.user_has_namespace_maintainer_access?(user, record.namespace, false) && - # Member.can_transfer_sample_to_project?(user, record.namespace, false) == true - # return true if Member.can_transfer_sample_to_project?(user, record.namespace) == true - return true if effective_access_level(false) == Member::AccessLevel::MAINTAINER && Member::AccessLevel.manageable.include?( effective_access_level(false) @@ -192,7 +161,6 @@ def transfer_sample_into_project? end def clone_sample? - # return true if Member.can_clone_sample?(user, record.namespace) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -200,7 +168,6 @@ def clone_sample? end def clone_sample_into_project? - # return true if Member.can_clone_sample_to_project?(user, record.namespace) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name @@ -208,8 +175,6 @@ def clone_sample_into_project? end def export_data? - # return true if record.namespace.parent.user_namespace? && record.namespace.parent.owner == user - # return true if Member.can_export_data?(user, record.namespace) == true return true if effective_access_level >= Member::AccessLevel::ANALYST details[:name] = record.name @@ -217,7 +182,6 @@ def export_data? end def submit_workflow? - # return true if Member.can_submit_workflow?(user, record.namespace) == true return true if effective_access_level >= Member::AccessLevel::ANALYST details[:name] = record.name @@ -225,8 +189,6 @@ def submit_workflow? end def view_attachments? - # return true if record.namespace.parent.user_namespace? && record.namespace.parent.owner == user - # return true if Member.can_view_attachments?(user, record.namespace) == true return true if effective_access_level >= Member::AccessLevel::ANALYST details[:name] = record.name @@ -234,8 +196,6 @@ def view_attachments? end def create_attachment? - # return true if record.namespace.parent.user_namespace? && record.namespace.parent.owner == user - # return true if Member.can_create_attachment?(user, record.namespace) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) return true if token_active(effective_access_level) == true @@ -244,8 +204,6 @@ def create_attachment? end def destroy_attachment? - # return true if record.namespace.parent.user_namespace? && record.namespace.parent.owner == user - # return true if Member.can_destroy_attachment?(user, record.namespace) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) details[:name] = record.name diff --git a/app/policies/sample_policy.rb b/app/policies/sample_policy.rb index 4e1e707c75..bb0376d292 100644 --- a/app/policies/sample_policy.rb +++ b/app/policies/sample_policy.rb @@ -14,8 +14,6 @@ def effective_access_level # rubocop:disable Metrics/CyclomaticComplexity, Metri end def destroy_attachment? - # return true if record.project.namespace.parent.user_namespace? && record.project.namespace.parent.owner == user - # return true if Member.namespace_owners_include_user?(user, record.project.namespace) == true return true if effective_access_level == Member::AccessLevel::OWNER details[:name] = record.name diff --git a/app/policies/workflow_execution_policy.rb b/app/policies/workflow_execution_policy.rb index 8ca222d9c7..a0b290debb 100644 --- a/app/policies/workflow_execution_policy.rb +++ b/app/policies/workflow_execution_policy.rb @@ -19,13 +19,11 @@ def effective_access_level(current_user = user) def destroy? # rubocop:disable Metrics/AbcSize return true if record.submitter.id == user.id - # return true if Member.can_modify?(user, record.namespace) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) if (record.namespace.type == Namespaces::ProjectNamespace.sti_name) && (record.submitter.id == record.namespace.automation_bot.id) && (record.namespace.automation_bot.id == user.id) && - # (Member.can_modify?(record.namespace.automation_bot, record.namespace) == true) Member::AccessLevel.manageable.include?(effective_access_level(record.namespace.automation_bot)) return true end @@ -39,7 +37,6 @@ def read? # rubocop:disable Metrics/AbcSize return true if record.submitter.id == user.id if (record.namespace.type == Namespaces::ProjectNamespace.sti_name) && (record.submitter.id == record.namespace.automation_bot.id) && - # (Member.can_view?(record.namespace.automation_bot, record.namespace) == true) (effective_access_level(record.namespace.automation_bot) > Member::AccessLevel::NO_ACCESS) return true end @@ -58,13 +55,11 @@ def create? def cancel? # rubocop:disable Metrics/AbcSize return true if record.submitter.id == user.id - # return true if Member.can_modify?(user, record.namespace) == true return true if Member::AccessLevel.manageable.include?(effective_access_level) if (record.namespace.type == Namespaces::ProjectNamespace.sti_name) && (record.submitter.id == record.namespace.automation_bot.id) && (record.namespace.automation_bot.id == user.id) && - # (Member.can_modify?(record.namespace.automation_bot, record.namespace) == true) Member::AccessLevel.manageable.include?(effective_access_level(record.namespace.automation_bot)) return true end diff --git a/app/services/members/create_service.rb b/app/services/members/create_service.rb index 2fa65f1511..cf1c902e28 100644 --- a/app/services/members/create_service.rb +++ b/app/services/members/create_service.rb @@ -25,7 +25,10 @@ def execute # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Met namespace_type: namespace.class.model_name.human) end - has_previous_access = Member.can_view?(member.user, namespace) if member.valid? + if member.valid? + has_previous_access = Member.effective_access_level(namespace, + member.user) > Member::AccessLevel::NO_ACCESS + end if member.save send_emails if @email_notification && !has_previous_access member.create_activity key: 'member.create', owner: current_user if @member.user != current_user diff --git a/app/services/members/destroy_service.rb b/app/services/members/destroy_service.rb index b448ddd508..daa0ddc128 100644 --- a/app/services/members/destroy_service.rb +++ b/app/services/members/destroy_service.rb @@ -16,7 +16,7 @@ def execute # rubocop:disable Metrics/AbcSize, Metrics/MethodLength if current_user != member.user authorize! @namespace, to: :destroy_member? - unless Member.namespace_owners_include_user?(current_user, namespace) || + unless (Member.effective_access_level(namespace, current_user) == Member::AccessLevel::OWNER) || (Member.user_has_namespace_maintainer_access?(current_user, namespace) && member.access_level <= Member::AccessLevel::MAINTAINER) @@ -39,7 +39,8 @@ def execute # rubocop:disable Metrics/AbcSize, Metrics/MethodLength private def send_emails - return if Member.can_view?(member.user, namespace) + return if Member.effective_access_level(namespace, + member.user) > Member::AccessLevel::NO_ACCESS MemberMailer.access_revoked_user_email(member, namespace).deliver_later end diff --git a/app/services/projects/create_service.rb b/app/services/projects/create_service.rb index 1d219922e9..89ef0d0645 100644 --- a/app/services/projects/create_service.rb +++ b/app/services/projects/create_service.rb @@ -35,8 +35,7 @@ def create_associations(project) # rubocop:disable Metrics/AbcSize create_activities end - return unless !Member.namespace_owners_include_user?(current_user, - namespace) && + return unless (Member.effective_access_level(namespace, current_user) != Member::AccessLevel::OWNER) && Member.user_has_namespace_maintainer_access?(current_user, namespace)