diff options
Diffstat (limited to 'app/policies')
30 files changed, 149 insertions, 138 deletions
diff --git a/app/policies/account_moderation_note_policy.rb b/app/policies/account_moderation_note_policy.rb index 885411a5b..310ce854c 100644 --- a/app/policies/account_moderation_note_policy.rb +++ b/app/policies/account_moderation_note_policy.rb @@ -2,11 +2,11 @@ class AccountModerationNotePolicy < ApplicationPolicy def create? - staff? + role.can?(:manage_reports) end def destroy? - admin? || owner? + owner? || (role.can?(:manage_reports) && role.overrides?(record.account.user_role)) end private diff --git a/app/policies/account_policy.rb b/app/policies/account_policy.rb index cc23771e7..a744af81d 100644 --- a/app/policies/account_policy.rb +++ b/app/policies/account_policy.rb @@ -2,74 +2,66 @@ class AccountPolicy < ApplicationPolicy def index? - staff? + role.can?(:manage_users) end def show? - staff? + role.can?(:manage_users) end def warn? - staff? && !record.user&.staff? + role.can?(:manage_users, :manage_reports) && role.overrides?(record.user_role) end def suspend? - staff? && !record.user&.staff? && !record.instance_actor? + role.can?(:manage_users, :manage_reports) && role.overrides?(record.user_role) && !record.instance_actor? end def destroy? - record.suspended_temporarily? && admin? + record.suspended_temporarily? && role.can?(:delete_user_data) end def unsuspend? - staff? && record.suspension_origin_local? + role.can?(:manage_users) && record.suspension_origin_local? end def sensitive? - staff? && !record.user&.staff? + role.can?(:manage_users, :manage_reports) && role.overrides?(record.user_role) end def unsensitive? - staff? + role.can?(:manage_users) end def silence? - staff? && !record.user&.staff? + role.can?(:manage_users, :manage_reports) && role.overrides?(record.user_role) end def unsilence? - staff? + role.can?(:manage_users) end def redownload? - admin? + role.can?(:manage_federation) end def remove_avatar? - staff? + role.can?(:manage_users, :manage_reports) && role.overrides?(record.user_role) end def remove_header? - staff? - end - - def subscribe? - admin? - end - - def unsubscribe? - admin? + role.can?(:manage_users, :manage_reports) && role.overrides?(record.user_role) end def memorialize? - admin? && !record.user&.admin? && !record.instance_actor? + role.can?(:delete_user_data) && role.overrides?(record.user_role) && !record.instance_actor? end def unblock_email? - staff? + role.can?(:manage_users) end def review? - staff? + role.can?(:manage_taxonomies) end end diff --git a/app/policies/account_warning_policy.rb b/app/policies/account_warning_policy.rb index 65707dfa7..4f8df7420 100644 --- a/app/policies/account_warning_policy.rb +++ b/app/policies/account_warning_policy.rb @@ -2,7 +2,7 @@ class AccountWarningPolicy < ApplicationPolicy def show? - target? || staff? + target? || role.can?(:manage_appeals) end def appeal? diff --git a/app/policies/account_warning_preset_policy.rb b/app/policies/account_warning_preset_policy.rb index bccbd33ef..59514e951 100644 --- a/app/policies/account_warning_preset_policy.rb +++ b/app/policies/account_warning_preset_policy.rb @@ -2,18 +2,18 @@ class AccountWarningPresetPolicy < ApplicationPolicy def index? - staff? + role.can?(:manage_settings) end def create? - staff? + role.can?(:manage_settings) end def update? - staff? + role.can?(:manage_settings) end def destroy? - staff? + role.can?(:manage_settings) end end diff --git a/app/policies/announcement_policy.rb b/app/policies/announcement_policy.rb index 0a4e4575c..b5dc6a18a 100644 --- a/app/policies/announcement_policy.rb +++ b/app/policies/announcement_policy.rb @@ -2,18 +2,18 @@ class AnnouncementPolicy < ApplicationPolicy def index? - staff? + role.can?(:manage_announcements) end def create? - admin? + role.can?(:manage_announcements) end def update? - admin? + role.can?(:manage_announcements) end def destroy? - admin? + role.can?(:manage_announcements) end end diff --git a/app/policies/appeal_policy.rb b/app/policies/appeal_policy.rb index a25187172..7466b334b 100644 --- a/app/policies/appeal_policy.rb +++ b/app/policies/appeal_policy.rb @@ -2,12 +2,14 @@ class AppealPolicy < ApplicationPolicy def index? - staff? + role.can?(:manage_appeals) end def approve? - record.pending? && staff? + record.pending? && role.can?(:manage_appeals) end - alias reject? approve? + def reject? + record.pending? && role.can?(:manage_appeals) + end end diff --git a/app/policies/application_policy.rb b/app/policies/application_policy.rb index d1de5e81a..163b81e9e 100644 --- a/app/policies/application_policy.rb +++ b/app/policies/application_policy.rb @@ -8,8 +8,6 @@ class ApplicationPolicy @record = record end - delegate :admin?, :moderator?, :staff?, to: :current_user, allow_nil: true - private def current_user @@ -19,4 +17,8 @@ class ApplicationPolicy def user_signed_in? !current_user.nil? end + + def role + current_user&.role || UserRole.nobody + end end diff --git a/app/policies/audit_log_policy.rb b/app/policies/audit_log_policy.rb new file mode 100644 index 000000000..f78aa9a8e --- /dev/null +++ b/app/policies/audit_log_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +class AuditLogPolicy < ApplicationPolicy + def index? + role.can?(:view_audit_log) + end +end diff --git a/app/policies/custom_emoji_policy.rb b/app/policies/custom_emoji_policy.rb index a8c3cbc73..18de71c19 100644 --- a/app/policies/custom_emoji_policy.rb +++ b/app/policies/custom_emoji_policy.rb @@ -2,30 +2,30 @@ class CustomEmojiPolicy < ApplicationPolicy def index? - staff? + role.can?(:manage_custom_emojis) end def create? - admin? + role.can?(:manage_custom_emojis) end def update? - admin? + role.can?(:manage_custom_emojis) end def copy? - admin? + role.can?(:manage_custom_emojis) end def enable? - staff? + role.can?(:manage_custom_emojis) end def disable? - staff? + role.can?(:manage_custom_emojis) end def destroy? - admin? + role.can?(:manage_custom_emojis) end end diff --git a/app/policies/dashboard_policy.rb b/app/policies/dashboard_policy.rb new file mode 100644 index 000000000..3df1c3088 --- /dev/null +++ b/app/policies/dashboard_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +class DashboardPolicy < ApplicationPolicy + def index? + role.can?(:view_dashboard) + end +end diff --git a/app/policies/delivery_policy.rb b/app/policies/delivery_policy.rb index 24d06c168..f6ba2eb18 100644 --- a/app/policies/delivery_policy.rb +++ b/app/policies/delivery_policy.rb @@ -2,14 +2,14 @@ class DeliveryPolicy < ApplicationPolicy def clear_delivery_errors? - admin? + role.can?(:manage_federation) end def restart_delivery? - admin? + role.can?(:manage_federation) end def stop_delivery? - admin? + role.can?(:manage_federation) end end diff --git a/app/policies/domain_allow_policy.rb b/app/policies/domain_allow_policy.rb index 7a5b5d780..45c797ecd 100644 --- a/app/policies/domain_allow_policy.rb +++ b/app/policies/domain_allow_policy.rb @@ -2,18 +2,18 @@ class DomainAllowPolicy < ApplicationPolicy def index? - admin? + role.can?(:manage_federation) end def show? - admin? + role.can?(:manage_federation) end def create? - admin? + role.can?(:manage_federation) end def destroy? - admin? + role.can?(:manage_federation) end end diff --git a/app/policies/domain_block_policy.rb b/app/policies/domain_block_policy.rb index 543259cce..0fea2e035 100644 --- a/app/policies/domain_block_policy.rb +++ b/app/policies/domain_block_policy.rb @@ -2,22 +2,22 @@ class DomainBlockPolicy < ApplicationPolicy def index? - admin? + role.can?(:manage_federation) end def show? - admin? + role.can?(:manage_federation) end def create? - admin? + role.can?(:manage_federation) end def update? - admin? + role.can?(:manage_federation) end def destroy? - admin? + role.can?(:manage_federation) end end diff --git a/app/policies/email_domain_block_policy.rb b/app/policies/email_domain_block_policy.rb index 5a75ee183..1a0ddfa87 100644 --- a/app/policies/email_domain_block_policy.rb +++ b/app/policies/email_domain_block_policy.rb @@ -2,14 +2,14 @@ class EmailDomainBlockPolicy < ApplicationPolicy def index? - admin? + role.can?(:manage_blocks) end def create? - admin? + role.can?(:manage_blocks) end def destroy? - admin? + role.can?(:manage_blocks) end end diff --git a/app/policies/follow_recommendation_policy.rb b/app/policies/follow_recommendation_policy.rb index 68cd0e547..9245733ea 100644 --- a/app/policies/follow_recommendation_policy.rb +++ b/app/policies/follow_recommendation_policy.rb @@ -2,14 +2,14 @@ class FollowRecommendationPolicy < ApplicationPolicy def show? - staff? + role.can?(:manage_taxonomies) end def suppress? - staff? + role.can?(:manage_taxonomies) end def unsuppress? - staff? + role.can?(:manage_taxonomies) end end diff --git a/app/policies/instance_policy.rb b/app/policies/instance_policy.rb index 801ca162e..b15e123fe 100644 --- a/app/policies/instance_policy.rb +++ b/app/policies/instance_policy.rb @@ -2,14 +2,14 @@ class InstancePolicy < ApplicationPolicy def index? - admin? + role.can?(:manage_federation) end def show? - admin? + role.can?(:manage_federation) end def destroy? - admin? + role.can?(:manage_federation) end end diff --git a/app/policies/invite_policy.rb b/app/policies/invite_policy.rb index 14236f78b..24eacd08e 100644 --- a/app/policies/invite_policy.rb +++ b/app/policies/invite_policy.rb @@ -2,19 +2,19 @@ class InvitePolicy < ApplicationPolicy def index? - staff? + role.can?(:manage_invites) end def create? - min_required_role? + role.can?(:invite_users) end def deactivate_all? - admin? + role.can?(:manage_invites) end def destroy? - owner? || (Setting.min_invite_role == 'admin' ? admin? : staff?) + owner? || role.can?(:manage_invites) end private @@ -22,8 +22,4 @@ class InvitePolicy < ApplicationPolicy def owner? record.user_id == current_user&.id end - - def min_required_role? - current_user&.role?(Setting.min_invite_role) - end end diff --git a/app/policies/ip_block_policy.rb b/app/policies/ip_block_policy.rb index 34dbd746a..1abc97ad8 100644 --- a/app/policies/ip_block_policy.rb +++ b/app/policies/ip_block_policy.rb @@ -2,14 +2,14 @@ class IpBlockPolicy < ApplicationPolicy def index? - admin? + role.can?(:manage_blocks) end def create? - admin? + role.can?(:manage_blocks) end def destroy? - admin? + role.can?(:manage_blocks) end end diff --git a/app/policies/preview_card_policy.rb b/app/policies/preview_card_policy.rb index 0410987e4..a7bb41634 100644 --- a/app/policies/preview_card_policy.rb +++ b/app/policies/preview_card_policy.rb @@ -2,10 +2,10 @@ class PreviewCardPolicy < ApplicationPolicy def index? - staff? + role.can?(:manage_taxonomies) end def review? - staff? + role.can?(:manage_taxonomies) end end diff --git a/app/policies/preview_card_provider_policy.rb b/app/policies/preview_card_provider_policy.rb index 44d2ad5cf..131ccb5dd 100644 --- a/app/policies/preview_card_provider_policy.rb +++ b/app/policies/preview_card_provider_policy.rb @@ -2,10 +2,10 @@ class PreviewCardProviderPolicy < ApplicationPolicy def index? - staff? + role.can?(:manage_taxonomies) end def review? - staff? + role.can?(:manage_taxonomies) end end diff --git a/app/policies/relay_policy.rb b/app/policies/relay_policy.rb index bd75e2197..4305bcfaa 100644 --- a/app/policies/relay_policy.rb +++ b/app/policies/relay_policy.rb @@ -2,6 +2,6 @@ class RelayPolicy < ApplicationPolicy def update? - admin? + role.can?(:manage_federation) end end diff --git a/app/policies/report_note_policy.rb b/app/policies/report_note_policy.rb index 694bc096b..dc31416e8 100644 --- a/app/policies/report_note_policy.rb +++ b/app/policies/report_note_policy.rb @@ -2,11 +2,11 @@ class ReportNotePolicy < ApplicationPolicy def create? - staff? + role.can?(:manage_reports) end def destroy? - admin? || owner? + owner? || (role.can?(:manage_reports) && role.overrides?(record.account.user_role)) end private diff --git a/app/policies/report_policy.rb b/app/policies/report_policy.rb index 95b5c30c8..c9f7639bd 100644 --- a/app/policies/report_policy.rb +++ b/app/policies/report_policy.rb @@ -2,14 +2,14 @@ class ReportPolicy < ApplicationPolicy def update? - staff? + role.can?(:manage_reports) end def index? - staff? + role.can?(:manage_reports) end def show? - staff? + role.can?(:manage_reports) end end diff --git a/app/policies/rule_policy.rb b/app/policies/rule_policy.rb index 6a4def009..51b2a6977 100644 --- a/app/policies/rule_policy.rb +++ b/app/policies/rule_policy.rb @@ -2,18 +2,18 @@ class RulePolicy < ApplicationPolicy def index? - staff? + role.can?(:manage_rules) end def create? - admin? + role.can?(:manage_rules) end def update? - admin? + role.can?(:manage_rules) end def destroy? - admin? + role.can?(:manage_rules) end end diff --git a/app/policies/settings_policy.rb b/app/policies/settings_policy.rb index 874f97bab..2b052af27 100644 --- a/app/policies/settings_policy.rb +++ b/app/policies/settings_policy.rb @@ -2,14 +2,14 @@ class SettingsPolicy < ApplicationPolicy def update? - admin? + role.can?(:manage_settings) end def show? - admin? + role.can?(:manage_settings) end def destroy? - admin? + role.can?(:manage_settings) end end diff --git a/app/policies/status_policy.rb b/app/policies/status_policy.rb index 400f1ec79..2f48b5d70 100644 --- a/app/policies/status_policy.rb +++ b/app/policies/status_policy.rb @@ -8,7 +8,7 @@ class StatusPolicy < ApplicationPolicy end def index? - staff? + role.can?(:manage_reports, :manage_users) end def show? @@ -32,17 +32,17 @@ class StatusPolicy < ApplicationPolicy end def destroy? - staff? || owned? + role.can?(:manage_reports) || owned? end alias unreblog? destroy? def update? - staff? || owned? + role.can?(:manage_reports) || owned? end def review? - staff? + role.can?(:manage_taxonomies) end private diff --git a/app/policies/tag_policy.rb b/app/policies/tag_policy.rb index bdfcec0c9..bb1d37d6c 100644 --- a/app/policies/tag_policy.rb +++ b/app/policies/tag_policy.rb @@ -2,18 +2,18 @@ class TagPolicy < ApplicationPolicy def index? - staff? + role.can?(:manage_taxonomies) end def show? - staff? + role.can?(:manage_taxonomies) end def update? - staff? + role.can?(:manage_taxonomies) end def review? - staff? + role.can?(:manage_taxonomies) end end diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index 140905e1f..6751b8b8f 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -2,52 +2,38 @@ class UserPolicy < ApplicationPolicy def reset_password? - staff? && !record.staff? + role.can?(:manage_user_access) && role.overrides?(record.role) end def change_email? - staff? && !record.staff? + role.can?(:manage_user_access) && role.overrides?(record.role) end def disable_2fa? - admin? && !record.staff? + role.can?(:manage_user_access) && role.overrides?(record.role) + end + + def change_role? + role.can?(:manage_roles) && role.overrides?(record.role) end def confirm? - staff? && !record.confirmed? + role.can?(:manage_user_access) && !record.confirmed? end def enable? - staff? + role.can?(:manage_users) end def approve? - staff? && !record.approved? + role.can?(:manage_users) && !record.approved? end def reject? - staff? && !record.approved? + role.can?(:manage_users) && !record.approved? end def disable? - staff? && !record.admin? - end - - def promote? - admin? && promotable? - end - - def demote? - admin? && !record.admin? && demoteable? - end - - private - - def promotable? - record.approved? && (!record.staff? || !record.admin?) - end - - def demoteable? - record.staff? + role.can?(:manage_users) && role.overrides?(record.role) end end diff --git a/app/policies/user_role_policy.rb b/app/policies/user_role_policy.rb new file mode 100644 index 000000000..7019637fc --- /dev/null +++ b/app/policies/user_role_policy.rb @@ -0,0 +1,19 @@ +# frozen_string_literal: true + +class UserRolePolicy < ApplicationPolicy + def index? + role.can?(:manage_roles) + end + + def create? + role.can?(:manage_roles) + end + + def update? + role.can?(:manage_roles) && role.overrides?(record) + end + + def destroy? + !record.everyone? && role.can?(:manage_roles) && role.overrides?(record) && role.id != record.id + end +end diff --git a/app/policies/webhook_policy.rb b/app/policies/webhook_policy.rb index 2c55703a1..a2199a333 100644 --- a/app/policies/webhook_policy.rb +++ b/app/policies/webhook_policy.rb @@ -2,34 +2,34 @@ class WebhookPolicy < ApplicationPolicy def index? - admin? + role.can?(:manage_webhooks) end def create? - admin? + role.can?(:manage_webhooks) end def show? - admin? + role.can?(:manage_webhooks) end def update? - admin? + role.can?(:manage_webhooks) end def enable? - admin? + role.can?(:manage_webhooks) end def disable? - admin? + role.can?(:manage_webhooks) end def rotate_secret? - admin? + role.can?(:manage_webhooks) end def destroy? - admin? + role.can?(:manage_webhooks) end end |