Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-07-02 03:07:53 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-07-02 03:07:53 +0300
commit: dc483c85ef1b3bcb8dee1fa269ced6e52f48c22c (patch)
tree: 8a1d7d84a460a2daf7ef17f1efc71cf27531ef71 /app/policies/release_policy.rb
parent: f8975b16d11afde69e398a8c607a27e0c05b48f9 (diff)
1 files changed, 28 insertions, 0 deletions
diff --git a/app/policies/release_policy.rb b/app/policies/release_policy.rb
index d7f9e5d7445..6f99eb34bb3 100644
--- a/app/policies/release_policy.rb
+++ b/app/policies/release_policy.rb
@@ -2,4 +2,32 @@
 
 class ReleasePolicy < BasePolicy
   delegate { @subject.project }
+
+  condition(:protected_tag) do
+    access = ::Gitlab::UserAccess.new(@user, container: @subject.project)
+
+    !access.can_create_tag?(@subject.tag)
+  end
+
+  condition(:respect_protected_tag) do
+    ::Feature.enabled?(:evalute_protected_tag_for_release_permissions, @subject.project, default_enabled: :yaml)
+  end
+
+  condition(:project_developer) do
+    can?(:developer_access, @subject.project)
+  end
+
+  rule { respect_protected_tag & protected_tag }.policy do
+    prevent :create_release
+    prevent :update_release
+    prevent :destroy_release
+  end
+
+  # NOTE: Developer role (or above) can create, update and destroy release entries.
+  # When we remove the `evalute_protected_tag_for_release_permissions` feature flag,
+  # we should move `enable :destroy_release` to ProjectPolicy alongside with .
+  # See https://gitlab.com/gitlab-org/gitlab/-/issues/327505 for more information.
+  rule { respect_protected_tag & project_developer }.policy do
+    enable :destroy_release
+  end
 end
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-07-02 03:07:53 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-07-02 03:07:53 +0300
commit	dc483c85ef1b3bcb8dee1fa269ced6e52f48c22c (patch)
tree	8a1d7d84a460a2daf7ef17f1efc71cf27531ef71 /app/policies/release_policy.rb
parent	f8975b16d11afde69e398a8c607a27e0c05b48f9 (diff)