Leverage available_from_access_level for custom role abilities
We currently capture optionally capture available_from_access_level
for custom role abilities, but only use it for display purposes.
Wouldn't it be awesome if we:
- Used it to determine which predefined role the ability was available from.
This is best demonstrated with an example. Imagine we have custom ability:
---
name: admin_web_hook
SNIP
project_ability: true
available_from_access_level: 40
At the moment, in ee/app/policies/ee/project_policy.rb
we would have something like:
rule { can?(:maintainer_access) }.policy do
enable :admin_web_hook
end
condition(:role_enables_admin_web_hook) do
::Auth::MemberRoleAbilityLoader.new(
user: @user,
resource: @subject,
ability: :admin_web_hook
).has_ability?
end
rule { custom_roles_allowed & role_enables_admin_web_hook }.policy do
enable :admin_web_hook
end
What if instead, we could just have:
condition(:role_enables_admin_web_hook) do
::Auth::MemberRoleAbilityLoader.new(
user: @user,
resource: @subject,
ability: :admin_web_hook
).has_ability?
end
rule { custom_roles_allowed & role_enables_admin_web_hook }.policy do
enable :admin_web_hook
end
-
✅ Used it to dynamically display abilities on the "new role" screen (e.g. why allow someone to add an ability to a custom role if it's already included as part of the base role) - this was completed in !151663 (merged)
Taking the above example admin_web_hook
yml. We could hide the ability from the new role screen when the base role is set to maintainer or owner.
Edited by Lee Tickett