Add latest changes from gitlab-org/gitlab@14-6-stable-eev14.6.0-rc42

1 files changed, 15 insertions, 1 deletions

diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 833d5b9bd34..5c4990ffd9b 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-class GroupPolicy < BasePolicy
+class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   include FindGroupProjects
 
   desc "Group is public"
@@ -77,6 +77,11 @@ class GroupPolicy < BasePolicy
 
   condition(:crm_enabled, score: 0, scope: :subject) { Feature.enabled?(:customer_relations, @subject) }
 
+  with_scope :subject
+  condition(:group_runner_registration_allowed, score: 0, scope: :subject) do
+    Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('group')
+  end
+
   rule { can?(:read_group) & design_management_enabled }.policy do
     enable :read_design_activity
   end
@@ -157,6 +162,7 @@ class GroupPolicy < BasePolicy
     enable :destroy_package
     enable :create_projects
     enable :admin_pipeline
+    enable :admin_group_runners
     enable :admin_build
     enable :read_cluster
     enable :add_cluster
@@ -199,6 +205,10 @@ class GroupPolicy < BasePolicy
     enable :read_nested_project_resources
   end
 
+  rule { can?(:admin_group_runners) }.policy do
+    enable :register_group_runners
+  end
+
   rule { owner }.enable :create_subgroup
   rule { maintainer & maintainer_can_create_group }.enable :create_subgroup
 
@@ -261,6 +271,10 @@ class GroupPolicy < BasePolicy
     prevent :admin_crm_organization
   end
 
+  rule { ~group_runner_registration_allowed }.policy do
+    prevent :register_group_runners
+  end
+
   def access_level(for_any_session: false)
     return GroupMember::NO_ACCESS if @user.nil?
     return GroupMember::NO_ACCESS unless user_is_user?