diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-10-21 10:08:36 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-10-21 10:08:36 +0300 |
commit | 48aff82709769b098321c738f3444b9bdaa694c6 (patch) | |
tree | e00c7c43e2d9b603a5a6af576b1685e400410dee /app/policies/group_policy.rb | |
parent | 879f5329ee916a948223f8f43d77fba4da6cd028 (diff) |
Add latest changes from gitlab-org/gitlab@13-5-stable-eev13.5.0-rc42
Diffstat (limited to 'app/policies/group_policy.rb')
-rw-r--r-- | app/policies/group_policy.rb | 37 |
1 files changed, 36 insertions, 1 deletions
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index c98e82efef7..f9ec026a6d2 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -46,6 +46,19 @@ class GroupPolicy < BasePolicy group_projects_for(user: @user, group: @subject, only_owned: false).any? { |p| p.design_management_enabled? } end + desc "Deploy token with read_package_registry scope" + condition(:read_package_registry_deploy_token) do + @user.is_a?(DeployToken) && @user.groups.include?(@subject) && @user.read_package_registry + end + + desc "Deploy token with write_package_registry scope" + condition(:write_package_registry_deploy_token) do + @user.is_a?(DeployToken) && @user.groups.include?(@subject) && @user.write_package_registry + end + + with_scope :subject + condition(:resource_access_token_available) { resource_access_token_available? } + rule { design_management_enabled }.policy do enable :read_design_activity end @@ -91,7 +104,6 @@ class GroupPolicy < BasePolicy rule { developer }.policy do enable :admin_milestone - enable :read_package enable :create_metrics_dashboard_annotation enable :delete_metrics_dashboard_annotation enable :update_metrics_dashboard_annotation @@ -105,6 +117,7 @@ class GroupPolicy < BasePolicy enable :admin_issue enable :read_metrics_dashboard_annotation enable :read_prometheus + enable :read_package end rule { maintainer }.policy do @@ -167,6 +180,20 @@ class GroupPolicy < BasePolicy rule { maintainer & can?(:create_projects) }.enable :transfer_projects + rule { read_package_registry_deploy_token }.policy do + enable :read_package + enable :read_group + end + + rule { write_package_registry_deploy_token }.policy do + enable :create_package + enable :read_group + end + + rule { resource_access_token_available & can?(:admin_group) }.policy do + enable :admin_resource_access_tokens + end + def access_level return GroupMember::NO_ACCESS if @user.nil? return GroupMember::NO_ACCESS unless user_is_user? @@ -183,6 +210,14 @@ class GroupPolicy < BasePolicy def user_is_user? user.is_a?(User) end + + def group + @subject + end + + def resource_access_token_available? + true + end end GroupPolicy.prepend_if_ee('EE::GroupPolicy') |