#465: Added XxxPolicy classes for all models.

app/controllers/projects/projects_controller.rb

@@ -175,7 +175,7 @@ class Projects::ProjectsController < Projects::BaseController
   end
 
   def preview
-    authorize @project, :show?
+    authorize @project
     respond_to do |format|
       format.json {}
       format.html {render inline: view_context.markdown(params[:text]), layout: false}

app/policies/application_policy.rb

@@ -118,33 +118,33 @@ class ApplicationPolicy
   #
   # Returns true if he is, false otherwise.
   def local_admin?(r = record)
-    best_role(r) == 'admin'
+    owner?(r) || best_role(r) == 'admin'
   end
 
   # Private: Check if provided user is at least record reader.
   #
   # Returns true if he is, false otherwise.
   def local_reader?(r = record)
-    %w(reader writer admin).include? best_role(r)
+    owner?(r) || %w(reader writer admin).include? best_role(r)
   end
 
   # Private: Check if provided user is at least record writer.
   #
   # Returns true if he is, false otherwise.
   def local_writer?(r = record)
-    %w(writer admin).include? best_role(r)
+    owner?(r) || %w(writer admin).include? best_role(r)
   end
 
   # Private: Check if provided user is record owner.
   #
   # Returns true if he is, false otherwise.
-  def owner?
+  def owner?(r = record)
     (
-      !record.try(:owner_type) && record.owner_id == user.id
+      !r.try(:owner_type) && r.owner_id == user.id
     ) || (
-      record.try(:owner_type) == 'User'  && record.owner_id == user.id
+      r.try(:owner_type) == 'User'  && r.owner_id == user.id
     ) || (
-      record.try(:owner_type) == 'Group' && user_own_group_ids.include?(record.owner_id)
+      r.try(:owner_type) == 'Group' && user_own_group_ids.include?(r.owner_id)
     )
   end
 
@@ -166,4 +166,13 @@ class ApplicationPolicy
     end
   end
 
-end
+  # Public: Get user's platform ids.
+  #
+  # Returns the Array of platform ids.
+  def user_platform_ids
+    Rails.cache.fetch(['ApplicationPolicy#user_platform_ids', user]) do
+      user.repositories.pluck(:platform_id)
+    end
+  end
+
+end

app/policies/build_list_policy.rb

@@ -1,3 +1,52 @@
 class BuildListPolicy < ApplicationPolicy
 
+  def show?
+    record.user_id == user.id || policy(record.project).show?
+  end
+  alias_method :read?,       :show?
+  alias_method :log?,        :show?
+  alias_method :everything?, :show?
+  alias_method :owned?,      :show?
+  alias_method :everything?, :show?
+  alias_method :list?,       :show?
+
+  def create?
+    return false unless record.project.is_package
+    return false unless policy(record.project).write?
+    record.build_for_platform.blank? || policy(record.build_for_platform).show?
+  end
+  alias_method :rerun_tests?, :create?
+
+  def publish_into_testing?
+    return false unless record.new_core?
+    return false unless record.can_publish_into_testing?
+    create? || ( record.save_to_platform.main? && publish? )
+  end
+
+  def publish?
+    return false unless record.new_core?
+    return false unless record.can_publish?
+    if record.build_published?
+      local_admin?(record.save_to_platform) || record.save_to_repository.members.exists?(id: user.id)
+    else
+      record.save_to_repository.publish_without_qa ?
+        policy(record.project).write? : local_admin?(record.save_to_platform)
+    end
+  end
+
+  def create_container?
+    return false unless record.new_core?
+    policy(record.project).write? || local_admin?(record.save_to_platform)
+  end
+
+  def reject_publish?
+    record.save_to_repository.publish_without_qa ?
+      policy(record.project).write? : local_admin?(record.save_to_platform)
+  end
+
+  def cancel?
+    policy(record.project).write?
+  end
+
+
 end

app/policies/comment_policy.rb

@@ -0,0 +1,12 @@
+class CommentPolicy < ApplicationPolicy
+
+  def create?
+    policy(record.project).show?
+  end
+  alias_method :new_line?, :create?
+
+  def update?
+    record.user_id == user.id || local_admin?(record.project)
+  end
+
+end

app/policies/group_policy.rb

@@ -23,8 +23,19 @@ class GroupPolicy < ApplicationPolicy
   def update?
     owner? || local_admin?
   end
-  alias_method :manage_members?, :update?
-  alias_method :remove_members?, :update?
-  alias_method :add_member?, :update?
+  alias_method :manage_members?,  :update?
+  alias_method :members?,         :update?
+  alias_method :add_member?,      :update?
+  alias_method :remove_member?,   :update?
+  alias_method :remove_members?,  :update?
+  alias_method :update_member?,   :update?
+
+  def destroy?
+    owner?
+  end
+
+  def remove_user?
+    !user.guest?
+  end
 
 end

app/policies/hook_policy.rb

@@ -0,0 +1,11 @@
+class HookPolicy < ApplicationPolicy
+
+  def show?
+    policy(record.project).update?
+  end
+  alias_method :read?,    :show?
+  alias_method :create?,  :show?
+  alias_method :destroy?, :show?
+  alias_method :update?,  :show?
+
+end

app/policies/issue_policy.rb

@@ -0,0 +1,17 @@
+class IssuePolicy < ApplicationPolicy
+
+  def index?
+    record.project.has_issues?
+  end
+
+  def show?
+    policy(record.project).show?
+  end
+  alias_method :create?, :show?
+  alias_method :read?,   :show?
+
+  def update?
+    record.user_id == user.id || local_admin?(record.project)
+  end
+
+end

app/policies/key_pair_policy.rb

@@ -0,0 +1,8 @@
+class KeyPairPolicy < ApplicationPolicy
+
+  def create?
+    key_pair.repository.blank? || local_admin?(record.repository.platform)
+  end
+  alias_method :destroy?,    :create?
+
+end

app/policies/mass_build_policy.rb

@@ -0,0 +1,18 @@
+class MassBuildPolicy < ApplicationPolicy
+
+  def show?
+    policy(record.save_to_platform).show?
+  end
+  alias_method :read?,       :show?
+  alias_method :get_list?,   :show?
+
+  def create?
+    owner?(record.save_to_platform) || local_admin?(record.save_to_platform)
+  end
+  alias_method :publish?, :create?
+
+  def cancel?
+    !record.stop_build && create?
+  end
+
+end

app/policies/platform_policy.rb

@@ -7,7 +7,16 @@ class PlatformPolicy < ApplicationPolicy
   def show?
     return true unless record.hidden?
     return true if record.owner == user
-    return true if owner?
+    owner? || local_reader? || user_platform_ids.include?(record.id)
+  end
+  alias_method :advisories?, :show?
+  alias_method :members?,    :show?
+  alias_method :owned?,      :show?
+  alias_method :read?,       :show?
+  alias_method :related?,    :show?
+
+  def platforms_for_build?
+    true
   end
 
   def create?
@@ -17,15 +26,29 @@ class PlatformPolicy < ApplicationPolicy
   def update?
     owner?
   end
+  alias_method :change_visibility?, :update?
+
+  def destroy?
+    record.main? && owner?
+  end
 
   def local_admin_manage?
     owner? || local_admin?
   end
-  alias_method :add_project?, :local_admin_manage?
+  alias_method :add_project?,         :local_admin_manage?
+  alias_method :remove_file?,         :local_admin_manage?
 
   def clone?
-    return false if record.personal?
-    owner? || local_admin?
+    record.main? && ( owner? || local_admin? )
+  end
+  alias_method :add_member?,          :clone?
+  alias_method :members?,             :clone?
+  alias_method :regenerate_metadata?, :clone?
+  alias_method :remove_member?,       :clone?
+  alias_method :remove_members?,      :clone?
+
+  def clear?
+    record.personal? && owner?
   end
 
   class Scope < Scope

app/policies/product_build_list_policy.rb

@@ -0,0 +1,22 @@
+class ProductBuildListPolicy < ApplicationPolicy
+
+  def show?
+    policy(record.platform).show?
+  end
+  alias_method :log?,  :show?
+  alias_method :read?, :show?
+
+  def create?
+    policy(record.project).write? || policy(record.product).update?
+  end
+  alias_method :cancel?, :create?
+
+  def update?
+    policy(record.product).update?
+  end
+
+  def destroy?
+    policy(record.product).destroy?
+  end
+
+end

app/policies/product_policy.rb

@@ -1,3 +1,19 @@
 class ProductPolicy < ApplicationPolicy
 
+  def index?
+    record.platform.main?
+  end
+
+  def show?
+    policy(record.platform).show?
+  end
+  alias_method :read?,          :show?
+
+  def create?
+    record.platform.main? && local_admin?(record.platform)
+  end
+  alias_method :clone?,   :create?
+  alias_method :destroy?, :create?
+  alias_method :update?,  :create?
+
 end

app/policies/project_policy.rb

@@ -3,21 +3,38 @@ class ProjectPolicy < ApplicationPolicy
   def index?
     !user.guest?
   end
+  alias_method :remove_user?,               :index?
+  alias_method :preview?,                   :index?
 
   def show?
-    record.public? || local_reader?
+    return true if record.public?
+    return true if record.owner == user
+    return true if record.owner.is_a?(Group) && user_group_ids.inclide?(record.owner_id)
+    local_reader?
   end
-  alias_method :read?, :show?
-  alias_method :fork?, :show?
+  alias_method :read?,                      :show?
+  alias_method :fork?,                      :show?
+  alias_method :archive?,                   :show?
+  alias_method :get_id?,                    :show?
+  alias_method :refs_list?,                 :show?
 
   def create?
     !user.guest? && (!record.try(:owner) || policy(record.owner).write?)
   end
 
   def update?
-    local_admin?
+    owner? || local_admin?
   end
-  alias_method :alias?, :update?
+  alias_method :alias?,                     :update?
+  alias_method :sections?,                  :update?
+  alias_method :manage_collaborators?,      :update?
+  alias_method :autocomplete_maintainers?,  :update?
+  alias_method :add_member?,                :update?
+  alias_method :remove_member?,             :update?
+  alias_method :remove_members?,            :update?
+  alias_method :update_member?,             :update?
+  alias_method :members?,                   :update?
+  alias_method :schedule?,                  :update?
 
   def destroy?
     owner? || record.owner.is_a?(Group) && record.owner.actors.exists?(actor_type: 'User', actor_id: user.id, role: 'admin')
@@ -35,7 +52,7 @@ class ProjectPolicy < ApplicationPolicy
 
   # for grack
   def write?
-    local_writer?
+    owner? || local_writer?
   end
 
   def possible_forks

app/policies/pull_request_policy.rb

@@ -0,0 +1,22 @@
+class PullRequestPolicy < ApplicationPolicy
+
+  def show?
+    policy(record.to_project).show?
+  end
+  alias_method :read?,      :show?
+  alias_method :commits?,   :show?
+  alias_method :files?,     :show?
+
+  def create?
+    true
+  end
+
+  def update?
+    record.user_id == record.id || local_writer?(record.to_project)
+  end
+
+  def merge?
+    local_writer?(record.to_project)
+  end
+
+end

app/policies/repository_policy.rb

@@ -1,8 +1,11 @@
 class RepositoryPolicy < ApplicationPolicy
 
-  def update?
-    local_admin?(record.platform)
+  def show?
+    policy(record.platform).show?
   end
+  alias_method :projects?,      :show?
+  alias_method :projects_list?, :show?
+  alias_method :read?,          :show?
 
   def reader?
     local_reader?(record.platform)
@@ -15,20 +18,51 @@ class RepositoryPolicy < ApplicationPolicy
   def update?
     local_admin?(record.platform)
   end
-  alias_method :manage_members?, :update?
-  alias_method :remove_members?, :update?
-  alias_method :add_member?, :update?
+  alias_method :manage_members?,        :update?
+  alias_method :regenerate_metadata?,   :update?
+  alias_method :signatures?,            :update?
+
+  def create?
+    return false if record.platform.personal? && name == 'main'
+    local_admin?(record.platform)
+  end
+  alias_method :destroy?, :create?
+
+  def packages?
+    record.platform.main? && local_admin?(record.platform)
+  end
+  alias_method :remove_member?,         :packages?
+  alias_method :remove_members?,        :packages?
+  alias_method :add_member?,            :packages?
+  alias_method :sync_lock_file?,        :packages?
 
   def add_project?
-    local_admin?(record.platform) || is_member_of_repository?
+    local_admin?(record.platform) || repository_user_ids.include?(user.id)
   end
   alias_method :remove_project?, :add_project?
 
+  def destroy?
+    owner?(record.platform)
+  end
+  alias_method :settings?, :destroy?
+
+  def key_pair?
+    user.system?
+  end
+
+  def add_repo_lock_file?
+    user.system? || ( record.platform.main? && local_admin?(record.platform) )
+  end
+  alias_method :remove_repo_lock_file?, :add_repo_lock_file?
+
 private
 
-  def is_member_of_repository?
-    Rails.cache.fetch(['RepositoryPolicy#is_member_of_repository?', record, user]) do
-      record.members.exists?(id: user.id)
+  # Public: Get user ids of repository.
+  #
+  # Returns the Set of user ids.
+  def repository_user_ids
+    Rails.cache.fetch(['RepositoryPolicy#repository_user_ids', record]) do
+      Set.new record.member_ids
     end
   end
 

app/policies/statistic_policy.rb

@@ -1,3 +1,7 @@
 class StatisticPolicy < ApplicationPolicy
 
+  def index?
+    true
+  end
+
 end

app/policies/subscribe_policy.rb

@@ -0,0 +1,12 @@
+class SubscribePolicy < ApplicationPolicy
+
+  def create?
+    !user.guest? && record.subscribeable.subscribes.exists?(user_id: user.id)
+  end
+
+  def destroy?
+    !user.guest? &&
+      user.id == record.user_id &&
+      record.subscribeable.subscribes.exists?(user_id: user.id)
+  end
+end

app/policies/token_policy.rb

@@ -0,0 +1,10 @@
+class TokenPolicy < ApplicationPolicy
+
+  def show?
+    local_admin?(record.subject)
+  end
+  alias_method :create?,   :show?
+  alias_method :read?,     :show?
+  alias_method :withdraw?, :show?
+
+end

app/policies/user_policy.rb

@@ -1,5 +1,13 @@
 class UserPolicy < ApplicationPolicy
 
+  def show?
+    true
+  end
+
+  def update?
+    record == user
+  end
+
   def write?
     record == user
   end

app/views/platforms/repositories/show.html.slim

@@ -25,10 +25,11 @@
   .row
     hr
     h3= t("layout.projects.list_header")
-    - if policy(@repository).update?
+    - if policy(@repository).add_project?
       a.btn.btn-primary href=add_project_platform_repository_path(@platform, @repository)
         = t('layout.projects.add')
       |  
+    - if policy(@repository).remove_project?
       a.btn.btn-primary href=remove_project_platform_repository_path(@platform, @repository)
         = t('layout.repositories.mass_delete')
   .row