Add latest changes from gitlab-org/gitlab@master

7 files changed, 34 insertions, 54 deletions

diff --git a/app/models/container_registry/protection.rb b/app/models/container_registry/protection.rb
new file mode 100644
index 00000000000..33c94c0c893
--- /dev/null
+++ b/app/models/container_registry/protection.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module ContainerRegistry
+  module Protection
+    def self.table_name_prefix
+      'container_registry_protection_'
+    end
+  end
+end
diff --git a/app/models/container_registry/protection/rule.rb b/app/models/container_registry/protection/rule.rb
new file mode 100644
index 00000000000..a91f3633d75
--- /dev/null
+++ b/app/models/container_registry/protection/rule.rb
@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+module ContainerRegistry
+  module Protection
+    class Rule < ApplicationRecord
+      enum delete_protected_up_to_access_level:
+             Gitlab::Access.sym_options_with_owner.slice(:maintainer, :owner, :developer),
+        _prefix: :delete_protected_up_to
+      enum push_protected_up_to_access_level:
+             Gitlab::Access.sym_options_with_owner.slice(:maintainer, :owner, :developer),
+        _prefix: :push_protected_up_to
+
+      belongs_to :project, inverse_of: :container_registry_protection_rules
+
+      validates :container_path_pattern, presence: true, uniqueness: { scope: :project_id }, length: { maximum: 255 }
+      validates :delete_protected_up_to_access_level, presence: true
+      validates :push_protected_up_to_access_level, presence: true
+    end
+  end
+end
diff --git a/app/models/group.rb b/app/models/group.rb
index bc6125887d4..c83dd24e98e 100644
--- a/app/models/group.rb
+++ b/app/models/group.rb
@@ -423,15 +423,13 @@ class Group < Namespace
     owners.include?(user)
   end
 
-  def add_members(users, access_level, current_user: nil, expires_at: nil, tasks_to_be_done: [], tasks_project_id: nil)
+  def add_members(users, access_level, current_user: nil, expires_at: nil)
     Members::Groups::CreatorService.add_members( # rubocop:disable CodeReuse/ServiceClass
       self,
       users,
       access_level,
       current_user: current_user,
-      expires_at: expires_at,
-      tasks_to_be_done: tasks_to_be_done,
-      tasks_project_id: tasks_project_id
+      expires_at: expires_at
     )
   end
 
diff --git a/app/models/member.rb b/app/models/member.rb
index 248cad00c26..80a875fc04d 100644
--- a/app/models/member.rb
+++ b/app/models/member.rb
@@ -29,10 +29,8 @@ class Member < ApplicationRecord
   belongs_to :source, polymorphic: true # rubocop:disable Cop/PolymorphicAssociations
   belongs_to :member_namespace, inverse_of: :namespace_members, foreign_key: 'member_namespace_id', class_name: 'Namespace'
   belongs_to :member_role
-  has_one :member_task
 
   delegate :name, :username, :email, :last_activity_on, to: :user, prefix: true
-  delegate :tasks_to_be_done, to: :member_task, allow_nil: true
 
   validates :expires_at, allow_blank: true, future_date: true
   validates :user, presence: true, unless: :invite?
diff --git a/app/models/members/member_task.rb b/app/models/members/member_task.rb
deleted file mode 100644
index 6cf6b1adb45..00000000000
--- a/app/models/members/member_task.rb
+++ /dev/null
@@ -1,44 +0,0 @@
-# frozen_string_literal: true
-
-class MemberTask < ApplicationRecord
-  TASKS = {
-    code: 0,
-    ci: 1,
-    issues: 2
-  }.freeze
-
-  belongs_to :member
-  belongs_to :project
-
-  validates :member, :project, presence: true
-  validates :tasks, inclusion: { in: TASKS.values }
-  validate :tasks_uniqueness
-  validate :project_in_member_source
-
-  scope :for_members, -> (members) { joins(:member).where(member: members) }
-
-  def tasks_to_be_done
-    Array(self[:tasks]).map { |task| TASKS.key(task) }
-  end
-
-  def tasks_to_be_done=(tasks)
-    self[:tasks] = Array(tasks).map do |task|
-      TASKS[task.to_sym]
-    end.uniq
-  end
-
-  private
-
-  def tasks_uniqueness
-    errors.add(:tasks, 'are not unique') unless Array(tasks).length == Array(tasks).uniq.length
-  end
-
-  def project_in_member_source
-    case member
-    when GroupMember
-      errors.add(:project, _('is not in the member group')) unless project.namespace == member.source
-    when ProjectMember
-      errors.add(:project, _('is not the member project')) unless project == member.source
-    end
-  end
-end
diff --git a/app/models/project.rb b/app/models/project.rb
index 22d4402d732..6c12c85d45d 100644
--- a/app/models/project.rb
+++ b/app/models/project.rb
@@ -390,6 +390,7 @@ class Project < ApplicationRecord
   has_many :alert_management_alerts, class_name: 'AlertManagement::Alert', inverse_of: :project
   has_many :alert_management_http_integrations, class_name: 'AlertManagement::HttpIntegration', inverse_of: :project
 
+  has_many :container_registry_protection_rules, class_name: 'ContainerRegistry::Protection::Rule', inverse_of: :project
   # Container repositories need to remove data from the container registry,
   # which is not managed by the DB. Hence we're still using dependent: :destroy
   # here.
diff --git a/app/models/project_team.rb b/app/models/project_team.rb
index 38521ae6090..586294f0dd0 100644
--- a/app/models/project_team.rb
+++ b/app/models/project_team.rb
@@ -43,15 +43,13 @@ class ProjectTeam
     member
   end
 
-  def add_members(users, access_level, current_user: nil, expires_at: nil, tasks_to_be_done: [], tasks_project_id: nil)
+  def add_members(users, access_level, current_user: nil, expires_at: nil)
     Members::Projects::CreatorService.add_members( # rubocop:disable CodeReuse/ServiceClass
       project,
       users,
       access_level,
       current_user: current_user,
-      expires_at: expires_at,
-      tasks_to_be_done: tasks_to_be_done,
-      tasks_project_id: tasks_project_id
+      expires_at: expires_at
     )
   end