// GitLab Access Level Based Authorization
// Maps to Gitlab::Access constants: Guest(10), Reporter(20), Developer(30), Maintainer(40), Owner(50)
// Guest access (read-only operations)
permit (
  principal is User,
  action in
    [Action::"read_project",
     Action::"read_group",
     Action::"read_issue",
     Action::"read_merge_request",
     Action::"read_pipeline",
     Action::"read_wiki",
     Action::"download_code"],
  resource
)
when
{
  principal has access_level &&
  principal.access_level >= 10 &&
  resource has visibility &&
  (resource.visibility == "public" ||
   resource has members &&
   principal in resource.members)
};

// Reporter access (can create issues, view builds)
permit (
  principal is User,
  action in
    [Action::"create_issue",
     Action::"create_issue_note",
     Action::"read_build",
     Action::"read_container_image",
     Action::"pull_container_image"],
  resource
)
when
{
  principal has access_level &&
  principal.access_level >= 20 &&
  resource has members &&
  principal in resource.members
};

// Developer access (can push code, create MRs)
permit (
  principal is User,
  action in
    [Action::"push_code",
     Action::"create_merge_request",
     Action::"update_merge_request",
     Action::"create_pipeline",
     Action::"retry_pipeline",
     Action::"push_container_image",
     Action::"create_release"],
  resource
)
when
{
  principal has access_level &&
  principal.access_level >= 30 &&
  resource has members &&
  principal in resource.members
};

// Maintainer access (project administration)
permit (
  principal is User,
  action in
    [Action::"admin_project",
     Action::"manage_project_members",
     Action::"admin_merge_request",
     Action::"push_to_delete_protected_branch",
     Action::"admin_pipeline",
     Action::"admin_container_registry",
     Action::"admin_package_registry"],
  resource
)
when
{
  principal has access_level &&
  principal.access_level >= 40 &&
  resource has members &&
  principal in resource.members
};

// Owner access (full project control)
permit (
  principal is User,
  action in
    [Action::"destroy_project",
     Action::"transfer_project",
     Action::"archive_project",
     Action::"change_visibility_level",
     Action::"admin_project_hooks",
     Action::"admin_project_runners"],
  resource
)
when
{
  principal has access_level &&
  principal.access_level >= 50 &&
  resource has members &&
  principal in resource.members
};

// Admin override - can do everything
permit (
  principal is User,
  action,
  resource
)
when
{
  principal has admin &&
  principal.admin == true &&
  principal has blocked &&
  !principal.blocked
};

// Block all access for blocked users
forbid (
  principal is User,
  action,
  resource
)
when { principal has blocked && principal.blocked == true };