diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-06-20 13:43:29 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-06-20 13:43:29 +0300 |
commit | 3b1af5cc7ed2666ff18b718ce5d30fa5a2756674 (patch) | |
tree | 3bc4a40e0ee51ec27eabf917c537033c0c5b14d4 /app/policies/group_policy.rb | |
parent | 9bba14be3f2c211bf79e15769cd9b77bc73a13bc (diff) |
Add latest changes from gitlab-org/gitlab@16-1-stable-eev16.1.0-rc42
Diffstat (limited to 'app/policies/group_policy.rb')
-rw-r--r-- | app/policies/group_policy.rb | 19 |
1 files changed, 17 insertions, 2 deletions
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 285721de387..94a67f5b5c8 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -109,6 +109,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy @subject.runner_registration_enabled? end + condition(:raise_admin_package_to_owner_enabled) do + Feature.enabled?(:raise_group_admin_package_permission_to_owner, @subject) + end + rule { can?(:read_group) & design_management_enabled }.policy do enable :read_design_activity end @@ -159,6 +163,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :award_achievement end + rule { can?(:owner_access) & achievements_enabled }.policy do + enable :destroy_user_achievement + end + rule { ~public_group & ~has_access }.prevent :read_counts rule { ~can_read_group_member }.policy do @@ -198,11 +206,11 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_package enable :read_crm_organization enable :read_crm_contact + enable :read_confidential_issues end rule { maintainer }.policy do enable :destroy_package - enable :admin_package enable :create_projects enable :import_projects enable :admin_pipeline @@ -304,7 +312,11 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy rule { dependency_proxy_access_allowed & dependency_proxy_available } .enable :read_dependency_proxy - rule { maintainer & dependency_proxy_available }.policy do + rule { maintainer & dependency_proxy_available & ~raise_admin_package_to_owner_enabled }.policy do + enable :admin_dependency_proxy + end + + rule { owner & dependency_proxy_available & raise_admin_package_to_owner_enabled }.policy do enable :admin_dependency_proxy end @@ -370,6 +382,9 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy # Should be matched with ProjectPolicy#read_internal_note rule { admin | reporter }.enable :read_internal_note + rule { maintainer & ~raise_admin_package_to_owner_enabled }.enable :admin_package + rule { owner & raise_admin_package_to_owner_enabled }.enable :admin_package + def access_level(for_any_session: false) return GroupMember::NO_ACCESS if @user.nil? return GroupMember::NO_ACCESS unless user_is_user? |