// GitLab Visibility Level Authorization
// Controls access based on project/group visibility: public, internal, private
// Public projects - anyone can read
permit (
  principal,
  action in
    [Action::"read_project",
     Action::"read_repository",
     Action::"download_code",
     Action::"read_issue",
     Action::"read_merge_request",
     Action::"read_wiki",
     Action::"read_snippet"],
  resource
)
when
{
  resource has visibility &&
  resource.visibility == "public" &&
  principal has blocked &&
  !principal.blocked
};

// Internal projects - authenticated users can read
permit (
  principal is User,
  action in
    [Action::"read_project",
     Action::"read_repository",
     Action::"download_code",
     Action::"read_issue",
     Action::"read_merge_request",
     Action::"read_wiki",
     Action::"read_snippet"],
  resource
)
when
{
  resource has visibility &&
  resource.visibility == "internal" &&
  principal has external &&
  !principal.external &&
  principal has blocked &&
  !principal.blocked
};

// Private projects - only members can access
permit (
  principal is User,
  action in
    [Action::"read_project",
     Action::"read_repository",
     Action::"download_code",
     Action::"read_issue",
     Action::"read_merge_request",
     Action::"read_wiki",
     Action::"read_snippet"],
  resource
)
when
{
  resource has visibility &&
  resource.visibility == "private" &&
  principal in resource.members &&
  principal has blocked &&
  !principal.blocked
};

// Prevent external users from accessing internal projects
forbid (
  principal is User,
  action,
  resource
)
when
{
  resource has visibility &&
  resource.visibility == "internal" &&
  principal has external &&
  principal.external == true
};

// Group visibility rules - similar to projects
permit (
  principal,
  action in [Action::"read_group", Action::"read_group_details"],
  resource is Group
)
when { resource has visibility && resource.visibility == "public" };

permit (
  principal is User,
  action in [Action::"read_group", Action::"read_group_details"],
  resource is Group
)
when
{
  resource has visibility &&
  resource.visibility == "internal" &&
  principal has external &&
  !principal.external
};

permit (
  principal is User,
  action in [Action::"read_group", Action::"read_group_details"],
  resource is Group
)
when
{
  resource has visibility &&
  resource.visibility == "private" &&
  principal in resource.members
};

// Archived projects have limited access
forbid (
  principal,
  action in
    [Action::"push_code",
     Action::"create_issue",
     Action::"create_merge_request",
     Action::"update_issue",
     Action::"update_merge_request"],
  resource
)
when { resource has archived && resource.archived == true };