diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-12-22 12:07:22 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-12-22 12:07:22 +0300 |
| commit | 58e69d174512e267079ebb6afc60dd097070bf35 (patch) | |
| tree | d7207e894f4813a57db661de9620b9f7728d1afb /app/policies/ci | |
| parent | f8edcff7e9aff93f8ac605c19e542204b0ed9ba2 (diff) | |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'app/policies/ci')
| -rw-r--r-- | app/policies/ci/build_policy.rb | 6 | ||||
| -rw-r--r-- | app/policies/ci/job_artifact_policy.rb | 15 |
2 files changed, 18 insertions, 3 deletions
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index 5ef926ef2e3..ca0b51e1385 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -59,7 +59,7 @@ module Ci @subject.debug_mode? end - condition(:project_read_build, scope: :subject) do + condition(:can_read_project_build, scope: :subject) do can?(:read_build, @subject.project) end @@ -71,7 +71,7 @@ module Ci can?(:developer_access, @subject.project) end - rule { project_read_build }.enable :read_build_trace + rule { can_read_project_build }.enable :read_build_trace rule { debug_mode & ~project_update_build }.prevent :read_build_trace # Authorizing the user to access to protected entities. @@ -114,7 +114,7 @@ module Ci prevent :create_build_service_proxy end - rule { project_read_build }.enable :read_job_artifacts + rule { can_read_project_build }.enable :read_job_artifacts rule { ~artifacts_public & ~project_developer }.prevent :read_job_artifacts end end diff --git a/app/policies/ci/job_artifact_policy.rb b/app/policies/ci/job_artifact_policy.rb index e25c7311565..61c935af8ba 100644 --- a/app/policies/ci/job_artifact_policy.rb +++ b/app/policies/ci/job_artifact_policy.rb @@ -3,5 +3,20 @@ module Ci class JobArtifactPolicy < BasePolicy delegate { @subject.job.project } + + condition(:public_access, scope: :subject) do + @subject.public_access? + end + + condition(:can_read_project_build, scope: :subject) do + can?(:read_build, @subject.job.project) + end + + condition(:has_access_to_project) do + can?(:developer_access, @subject.job.project) + end + + rule { can_read_project_build }.enable :read_job_artifacts + rule { ~public_access & ~has_access_to_project }.prevent :read_job_artifacts end end |