Module: ValidatesClassificationLabel

Included in:

ApplicationSettings::UpdateService, Projects::CreateService, Projects::UpdateService

Defined in:

app/services/concerns/validates_classification_label.rb

Instance Method Summary

• #classification_label_change?(record, attribute_name) ⇒ Boolean
• #rejection_reason_for_label(label) ⇒ Object
• #validate_classification_label(record, attribute_name) ⇒ Object

Instance Method Details

#classification_label_change?(record, attribute_name) ⇒ Boolean

Returns:

• (Boolean)

# File 'app/services/concerns/validates_classification_label.rb', line 24

def classification_label_change?(record, attribute_name)
  params.key?(attribute_name) || record.new_record?
end

#rejection_reason_for_label(label) ⇒ Object

# File 'app/services/concerns/validates_classification_label.rb', line 19

def rejection_reason_for_label(label)
  reason_from_service = ::Gitlab::ExternalAuthorization.rejection_reason(current_user, label).presence
  reason_from_service || _("Access to '%{classification_label}' not allowed") % { classification_label: label }
end

#validate_classification_label(record, attribute_name) ⇒ Object

# File 'app/services/concerns/validates_classification_label.rb', line 4

def validate_classification_label(record, attribute_name)
  return unless ::Gitlab::ExternalAuthorization.enabled?
  return unless classification_label_change?(record, attribute_name)

  new_label = params[attribute_name].presence
  new_label ||= ::Gitlab::CurrentSettings.current_application_settings
                  .external_authorization_service_default_label

  unless ::Gitlab::ExternalAuthorization.access_allowed?(current_user, new_label)
    reason = rejection_reason_for_label(new_label)
    message = s_('ClassificationLabelUnavailable|is unavailable: %{reason}') % { reason: reason }
    record.errors.add(attribute_name, message)
  end
end