kimus/gitlab-collaborator.diff

## gitlab-collaborator.diff
diff --git a/app/models/ability.rb b/app/models/ability.rb
index 38bc208..bd21b82 100644
--- a/app/models/ability.rb
+++ b/app/models/ability.rb
@@ -83,6 +83,9 @@ class Ability
         elsif team.developer?(user)
           rules.push(*project_dev_rules)

+        elsif team.collaborator?(user)
+          rules.push(*project_collab_rules)
+
         elsif team.reporter?(user)
           rules.push(*project_report_rules)

@@ -148,13 +151,21 @@ class Ability
       ]
     end

+    def project_collab_rules
+      project_report_rules + [
+        :create_merge_request,
+        :push_code
+      ]
+    end
+
     def project_dev_rules
       project_report_rules + [
         :admin_merge_request,
         :create_merge_request,
         :create_wiki,
         :manage_builds,
-        :push_code
+        :push_code,
+        :push_code_dev
       ]
     end

diff --git a/app/models/member.rb b/app/models/member.rb
index cae8caa..36107bf 100644
--- a/app/models/member.rb
+++ b/app/models/member.rb
@@ -42,6 +42,7 @@ class Member < ActiveRecord::Base
   scope :non_invite, -> { where("user_id IS NOT NULL") }
   scope :guests, -> { where(access_level: GUEST) }
   scope :reporters, -> { where(access_level: REPORTER) }
+  scope :collaborator, -> { where(access_level: COLLABORATOR) }
   scope :developers, -> { where(access_level: DEVELOPER) }
   scope :masters,  -> { where(access_level: MASTER) }
   scope :owners,  -> { where(access_level: OWNER) }
diff --git a/app/models/project_team.rb b/app/models/project_team.rb
index 9f380a3..a502aeb 100644
--- a/app/models/project_team.rb
+++ b/app/models/project_team.rb
@@ -77,6 +77,10 @@ class ProjectTeam
     @reporters ||= fetch_members(:reporters)
   end

+  def collaborators
+    @collaborators ||= fetch_members(:collaborators)
+  end
+
   def developers
     @developers ||= fetch_members(:developers)
   end
@@ -123,6 +127,10 @@ class ProjectTeam
     max_member_access(user.id) == Gitlab::Access::REPORTER
   end

+  def collaborator?(user)
+    max_member_access(user.id) == Gitlab::Access::COLLABORATOR
+  end
+
   def developer?(user)
     max_member_access(user.id) == Gitlab::Access::DEVELOPER
   end
diff --git a/lib/gitlab/access.rb b/lib/gitlab/access.rb
index 6d0e30e..5d74259 100644
--- a/lib/gitlab/access.rb
+++ b/lib/gitlab/access.rb
@@ -7,6 +7,7 @@ module Gitlab
   module Access
     GUEST     = 10
     REPORTER  = 20
+    COLLABORATOR = 25
     DEVELOPER = 30
     MASTER    = 40
     OWNER     = 50
@@ -29,6 +30,7 @@ module Gitlab
         {
           "Guest"     => GUEST,
           "Reporter"  => REPORTER,
+          "Collaborator"  => COLLABORATOR,
           "Developer" => DEVELOPER,
           "Master"    => MASTER,
         }
@@ -44,6 +46,7 @@ module Gitlab
         {
           guest:     GUEST,
           reporter:  REPORTER,
+          collaborator: COLLABORATOR,
           developer: DEVELOPER,
           master:    MASTER,
         }
diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
index c90184d..0ee82ce 100644
--- a/lib/gitlab/git_access.rb
+++ b/lib/gitlab/git_access.rb
@@ -34,7 +34,7 @@ module Gitlab
       if project.protected_branch?(ref) && !project.developers_can_push_to_protected_branch?(ref)
         user.can?(:push_code_to_protected_branches, project)
       else
-        user.can?(:push_code, project)
+        user.can?(:push_code_dev, project)
       end
     end

@@ -169,7 +169,7 @@ module Gitlab
         # and we dont allow remove of protected branch
         :remove_protected_branches
       elsif project.developers_can_push_to_protected_branch?(branch_name)
-        :push_code
+        :push_code_dev
       else
         :push_code_to_protected_branches
       end
diff --git a/spec/models/project_security_spec.rb b/spec/models/project_security_spec.rb
index f600a24..e0ba00a 100644
--- a/spec/models/project_security_spec.rb
+++ b/spec/models/project_security_spec.rb
@@ -16,6 +16,7 @@ describe Project do

     let(:guest_actions) { Ability.project_guest_rules }
     let(:report_actions) { Ability.project_report_rules }
+    let(:collab_actions) { Ability.project_collab_rules }
     let(:dev_actions) { Ability.project_dev_rules }
     let(:master_actions) { Ability.project_master_rules }
     let(:admin_actions) { Ability.project_admin_rules }
@@ -52,6 +53,25 @@ describe Project do
       end
     end

+    describe "Collaborate Rules" do
+      before do
+        @p1.project_members.create(project: @p1, user: @u2, access_level: ProjectMember::REPORTER)
+        @p1.project_members.create(project: @p1, user: @u3, access_level: ProjectMember::COLLABORATOR)
+      end
+
+      it "should deny for collaborator master-specific actions" do
+        [collab_actions - report_actions].each do |action|
+          expect(@abilities.allowed?(@u2, action, @p1)).to be_falsey
+        end
+      end
+
+      it "should allow for project user any collab actions" do
+        collab_actions.each do |action|
+          expect(@abilities.allowed?(@u3, action, @p1)).to be_truthy
+        end
+      end
+    end
+
     describe "Developer Rules" do
       before do
         @p1.project_members.create(project: @p1, user: @u2, access_level: ProjectMember::REPORTER)
	diff --git a/app/models/ability.rb b/app/models/ability.rb
	index 38bc208..bd21b82 100644
	--- a/app/models/ability.rb
	+++ b/app/models/ability.rb
	@@ -83,6 +83,9 @@ class Ability
	elsif team.developer?(user)
	rules.push(*project_dev_rules)

	+ elsif team.collaborator?(user)
	+ rules.push(*project_collab_rules)
	+
	elsif team.reporter?(user)
	rules.push(*project_report_rules)

	@@ -148,13 +151,21 @@ class Ability
	]
	end

	+ def project_collab_rules
	+ project_report_rules + [
	+ :create_merge_request,
	+ :push_code
	+ ]
	+ end
	+
	def project_dev_rules
	project_report_rules + [
	:admin_merge_request,
	:create_merge_request,
	:create_wiki,
	:manage_builds,
	- :push_code
	+ :push_code,
	+ :push_code_dev
	]
	end

	diff --git a/app/models/member.rb b/app/models/member.rb
	index cae8caa..36107bf 100644
	--- a/app/models/member.rb
	+++ b/app/models/member.rb
	@@ -42,6 +42,7 @@ class Member < ActiveRecord::Base
	scope :non_invite, -> { where("user_id IS NOT NULL") }
	scope :guests, -> { where(access_level: GUEST) }
	scope :reporters, -> { where(access_level: REPORTER) }
	+ scope :collaborator, -> { where(access_level: COLLABORATOR) }
	scope :developers, -> { where(access_level: DEVELOPER) }
	scope :masters, -> { where(access_level: MASTER) }
	scope :owners, -> { where(access_level: OWNER) }
	diff --git a/app/models/project_team.rb b/app/models/project_team.rb
	index 9f380a3..a502aeb 100644
	--- a/app/models/project_team.rb
	+++ b/app/models/project_team.rb
	@@ -77,6 +77,10 @@ class ProjectTeam
	@reporters \|\|= fetch_members(:reporters)
	end

	+ def collaborators
	+ @collaborators \|\|= fetch_members(:collaborators)
	+ end
	+
	def developers
	@developers \|\|= fetch_members(:developers)
	end
	@@ -123,6 +127,10 @@ class ProjectTeam
	max_member_access(user.id) == Gitlab::Access::REPORTER
	end

	+ def collaborator?(user)
	+ max_member_access(user.id) == Gitlab::Access::COLLABORATOR
	+ end
	+
	def developer?(user)
	max_member_access(user.id) == Gitlab::Access::DEVELOPER
	end
	diff --git a/lib/gitlab/access.rb b/lib/gitlab/access.rb
	index 6d0e30e..5d74259 100644
	--- a/lib/gitlab/access.rb
	+++ b/lib/gitlab/access.rb
	@@ -7,6 +7,7 @@ module Gitlab
	module Access
	GUEST = 10
	REPORTER = 20
	+ COLLABORATOR = 25
	DEVELOPER = 30
	MASTER = 40
	OWNER = 50
	@@ -29,6 +30,7 @@ module Gitlab
	{
	"Guest" => GUEST,
	"Reporter" => REPORTER,
	+ "Collaborator" => COLLABORATOR,
	"Developer" => DEVELOPER,
	"Master" => MASTER,
	}
	@@ -44,6 +46,7 @@ module Gitlab
	{
	guest: GUEST,
	reporter: REPORTER,
	+ collaborator: COLLABORATOR,
	developer: DEVELOPER,
	master: MASTER,
	}
	diff --git a/lib/gitlab/git_access.rb b/lib/gitlab/git_access.rb
	index c90184d..0ee82ce 100644
	--- a/lib/gitlab/git_access.rb
	+++ b/lib/gitlab/git_access.rb
	@@ -34,7 +34,7 @@ module Gitlab
	if project.protected_branch?(ref) && !project.developers_can_push_to_protected_branch?(ref)
	user.can?(:push_code_to_protected_branches, project)
	else
	- user.can?(:push_code, project)
	+ user.can?(:push_code_dev, project)
	end
	end

	@@ -169,7 +169,7 @@ module Gitlab
	# and we dont allow remove of protected branch
	:remove_protected_branches
	elsif project.developers_can_push_to_protected_branch?(branch_name)
	- :push_code
	+ :push_code_dev
	else
	:push_code_to_protected_branches
	end
	diff --git a/spec/models/project_security_spec.rb b/spec/models/project_security_spec.rb
	index f600a24..e0ba00a 100644
	--- a/spec/models/project_security_spec.rb
	+++ b/spec/models/project_security_spec.rb
	@@ -16,6 +16,7 @@ describe Project do

	let(:guest_actions) { Ability.project_guest_rules }
	let(:report_actions) { Ability.project_report_rules }
	+ let(:collab_actions) { Ability.project_collab_rules }
	let(:dev_actions) { Ability.project_dev_rules }
	let(:master_actions) { Ability.project_master_rules }
	let(:admin_actions) { Ability.project_admin_rules }
	@@ -52,6 +53,25 @@ describe Project do
	end
	end

	+ describe "Collaborate Rules" do
	+ before do
	+ @p1.project_members.create(project: @p1, user: @u2, access_level: ProjectMember::REPORTER)
	+ @p1.project_members.create(project: @p1, user: @u3, access_level: ProjectMember::COLLABORATOR)
	+ end
	+
	+ it "should deny for collaborator master-specific actions" do
	+ [collab_actions - report_actions].each do \|action\|
	+ expect(@abilities.allowed?(@u2, action, @p1)).to be_falsey
	+ end
	+ end
	+
	+ it "should allow for project user any collab actions" do
	+ collab_actions.each do \|action\|
	+ expect(@abilities.allowed?(@u3, action, @p1)).to be_truthy
	+ end
	+ end
	+ end
	+
	describe "Developer Rules" do
	before do
	@p1.project_members.create(project: @p1, user: @u2, access_level: ProjectMember::REPORTER)