Merge remote-tracking branch 'upstream/master' into 30634-protected-pipeline

* upstream/master: (119 commits)
  Speed up operations performed by gitlab-shell
  Change the force flag to a keyword argument
  add image - issue boards - moving card
  copyedit == ee !2296
  Reset @full_path to nil when cache expires
  Replace existing runner links with icons and tooltips, move into btn-group.
  add margin between captcha and register button
  Eagerly create a milestone that is used in a feature spec
  Adjust readme repo width
  Resolve "Issue Board -> "Remove from board" button when viewing an issue gives js error and fails"
  Set force_remove_source_branch default to false.
  Fix rubocop offenses
  Make entrypoint and command keys to be array of strings
  Add issuable-list class to shared mr/issue lists to fix new responsive layout
  New navigation breadcrumbs
  Restore timeago translations in renderTimeago.
  Fix curl example paths (missing the 'files' segment)
  Automatically hide sidebar on smaller screens
  Fix typo in IssuesFinder comment
  Make Project#ensure_repository force create a repo
  ...

4 files changed, 32 insertions, 56 deletions

diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index 85245528602..129ed756477 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -1,30 +1,11 @@
 module Ci
   class BuildPolicy < CommitStatusPolicy
-    alias_method :build, :subject
-
-    def rules
-      super
-
-      # If we can't read build we should also not have that
-      # ability when looking at this in context of commit_status
-      %w[read create update admin].each do |rule|
-        cannot! :"#{rule}_commit_status" unless can? :"#{rule}_build"
-      end
-
-      if can?(:update_build) && !can_user_update?
-        cannot! :update_build
-      end
+    condition(:user_cannot_update) do
+      !::Gitlab::UserAccess
+        .new(@user, project: @subject.project)
+        .can_push_or_merge_to_branch?(@subject.ref)
     end
 
-    private
-
-    def can_user_update?
-      user_access.can_push_or_merge_to_branch?(build.ref)
-    end
-
-    def user_access
-      @user_access ||= ::Gitlab::UserAccess
-        .new(user, project: build.project)
-    end
+    rule { user_cannot_update }.prevent :update_build
   end
 end
diff --git a/app/policies/ci/pipeline_policy.rb b/app/policies/ci/pipeline_policy.rb
index e71cc358353..73b5a40c7fc 100644
--- a/app/policies/ci/pipeline_policy.rb
+++ b/app/policies/ci/pipeline_policy.rb
@@ -1,24 +1,13 @@
 module Ci
   class PipelinePolicy < BasePolicy
-    alias_method :pipeline, :subject
+    delegate { pipeline.project }
 
-    def rules
-      delegate! pipeline.project
-
-      if can?(:update_pipeline) && !can_user_update?
-        cannot! :update_pipeline
-      end
+    condition(:user_cannot_update) do
+      !::Gitlab::UserAccess
+        .new(@user, project: @subject.project)
+        .can_push_or_merge_to_branch?(@subject.ref)
     end
 
-    private
-
-    def can_user_update?
-      user_access.can_push_or_merge_to_branch?(pipeline.ref)
-    end
-
-    def user_access
-      @user_access ||= ::Gitlab::UserAccess
-        .new(user, project: pipeline.project)
-    end
+    rule { user_cannot_update }.prevent :update_pipeline
   end
 end
diff --git a/app/policies/ci/runner_policy.rb b/app/policies/ci/runner_policy.rb
index 416d93ffe63..7dff8470e23 100644
--- a/app/policies/ci/runner_policy.rb
+++ b/app/policies/ci/runner_policy.rb
@@ -1,13 +1,16 @@
 module Ci
   class RunnerPolicy < BasePolicy
-    def rules
-      return unless @user
+    with_options scope: :subject, score: 0
+    condition(:shared) { @subject.is_shared? }
 
-      can! :assign_runner if @user.admin?
+    with_options scope: :subject, score: 0
+    condition(:locked, scope: :subject) { @subject.locked? }
 
-      return if @subject.is_shared? || @subject.locked?
+    condition(:authorized_runner) { @user.ci_authorized_runners.include?(@subject) }
 
-      can! :assign_runner if @user.ci_authorized_runners.include?(@subject)
-    end
+    rule { anonymous }.prevent_all
+    rule { admin | authorized_runner }.enable :assign_runner
+    rule { ~admin & shared }.prevent :assign_runner
+    rule { ~admin & locked }.prevent :assign_runner
   end
 end
diff --git a/app/policies/ci/trigger_policy.rb b/app/policies/ci/trigger_policy.rb
index c90c9ac0583..5592ac30812 100644
--- a/app/policies/ci/trigger_policy.rb
+++ b/app/policies/ci/trigger_policy.rb
@@ -1,13 +1,16 @@
 module Ci
   class TriggerPolicy < BasePolicy
-    def rules
-      delegate! @subject.project
-
-      if can?(:admin_build)
-        can! :admin_trigger if @subject.owner.blank? ||
-            @subject.owner == @user
-        can! :manage_trigger
-      end
-    end
+    delegate { @subject.project }
+
+    with_options scope: :subject, score: 0
+    condition(:legacy) { @subject.legacy? }
+
+    with_score 0
+    condition(:is_owner) { @user && @subject.owner_id == @user.id }
+
+    rule { ~can?(:admin_build) }.prevent :admin_trigger
+    rule { legacy | is_owner }.enable :admin_trigger
+
+    rule { can?(:admin_build) }.enable :manage_trigger
   end
 end