Add latest changes from gitlab-org/gitlab@15-3-stable-eev15.3.0-rc42

13 files changed, 85 insertions, 7 deletions

diff --git a/app/policies/ci/runner_policy.rb b/app/policies/ci/runner_policy.rb
index 6dfe9cc496b..8a99f4d1a3e 100644
--- a/app/policies/ci/runner_policy.rb
+++ b/app/policies/ci/runner_policy.rb
@@ -31,3 +31,5 @@ module Ci
     rule { ~admin & locked }.prevent :assign_runner
   end
 end
+
+Ci::RunnerPolicy.prepend_mod_with('Ci::RunnerPolicy')
diff --git a/app/policies/deployment_policy.rb b/app/policies/deployment_policy.rb
index 1a92b735e36..70b2e864094 100644
--- a/app/policies/deployment_policy.rb
+++ b/app/policies/deployment_policy.rb
@@ -24,3 +24,5 @@ class DeploymentPolicy < BasePolicy
     prevent :update_deployment
   end
 end
+
+DeploymentPolicy.prepend_mod_with('DeploymentPolicy')
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 50b6f4bbe15..44393539327 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -180,7 +180,8 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     enable :read_deploy_token
     enable :create_jira_connect_subscription
     enable :maintainer_access
-    enable :maintain_namespace
+    enable :read_upload
+    enable :destroy_upload
   end
 
   rule { owner }.policy do
diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb
index f1efcb25331..3c5e1020c8a 100644
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -44,6 +44,10 @@ class IssuablePolicy < BasePolicy
   rule { can?(:read_issue) & can?(:developer_access) }.policy do
     enable :admin_incident_management_timeline_event
   end
+
+  rule { can?(:reporter_access) }.policy do
+    enable :create_timelog
+  end
 end
 
 IssuablePolicy.prepend_mod_with('IssuablePolicy')
diff --git a/app/policies/namespaces/group_project_namespace_shared_policy.rb b/app/policies/namespaces/group_project_namespace_shared_policy.rb
index 1ed9f05306f..bfb1706bc5a 100644
--- a/app/policies/namespaces/group_project_namespace_shared_policy.rb
+++ b/app/policies/namespaces/group_project_namespace_shared_policy.rb
@@ -2,8 +2,20 @@
 
 module Namespaces
   class GroupProjectNamespaceSharedPolicy < ::NamespacePolicy
-    # Nothing here at the moment, but as we move policies from ProjectPolicy to ProjectNamespacePolicy,
+    # As we move policies from ProjectPolicy to ProjectNamespacePolicy,
     # anything common with GroupPolicy but not with UserNamespacePolicy can go in here.
     # See https://gitlab.com/groups/gitlab-org/-/epics/6689
+
+    condition(:timelog_categories_enabled, score: 0, scope: :subject) do
+      Feature.enabled?(:timelog_categories, @subject)
+    end
+
+    rule { ~timelog_categories_enabled }.policy do
+      prevent :read_timelog_category
+    end
+
+    rule { can?(:reporter_access) }.policy do
+      enable :read_timelog_category
+    end
   end
 end
diff --git a/app/policies/namespaces/project_namespace_policy.rb b/app/policies/namespaces/project_namespace_policy.rb
index 33aadc7c411..500c325138e 100644
--- a/app/policies/namespaces/project_namespace_policy.rb
+++ b/app/policies/namespaces/project_namespace_policy.rb
@@ -2,8 +2,8 @@
 
 module Namespaces
   class ProjectNamespacePolicy < Namespaces::GroupProjectNamespaceSharedPolicy
-    # For now users are not granted any permissions on project namespace
-    # as it's completely hidden to them. When we start using project
-    # namespaces in queries, we will have to extend this policy.
+    # TODO: once https://gitlab.com/gitlab-org/gitlab/-/issues/364277 is solved, this
+    # should not be necessary anymore, and should be replaced with `delegate(:project)`.
+    delegate(:reload_project)
   end
 end
diff --git a/app/policies/namespaces/user_namespace_policy.rb b/app/policies/namespaces/user_namespace_policy.rb
index 26112332003..028247497e5 100644
--- a/app/policies/namespaces/user_namespace_policy.rb
+++ b/app/policies/namespaces/user_namespace_policy.rb
@@ -11,7 +11,6 @@ module Namespaces
       enable :owner_access
       enable :create_projects
       enable :admin_namespace
-      enable :maintain_namespace
       enable :read_namespace
       enable :read_statistics
       enable :create_jira_connect_subscription
diff --git a/app/policies/project_hook_policy.rb b/app/policies/project_hook_policy.rb
new file mode 100644
index 00000000000..c177fabb1ba
--- /dev/null
+++ b/app/policies/project_hook_policy.rb
@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+class ProjectHookPolicy < ::BasePolicy
+  delegate(:project)
+
+  rule { can?(:admin_project) }.policy do
+    enable :read_web_hook
+    enable :destroy_web_hook
+  end
+end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 54270dc186e..f4f7275a78a 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -209,6 +209,9 @@ class ProjectPolicy < BasePolicy
     analytics
     operations
     security_and_compliance
+    environments
+    feature_flags
+    releases
   ]
 
   features.each do |f|
@@ -366,7 +369,11 @@ class ProjectPolicy < BasePolicy
     prevent(:metrics_dashboard)
   end
 
-  rule { operations_disabled }.policy do
+  condition(:split_operations_visibility_permissions) do
+    ::Feature.enabled?(:split_operations_visibility_permissions, @subject)
+  end
+
+  rule { ~split_operations_visibility_permissions & operations_disabled }.policy do
     prevent(*create_read_update_admin_destroy(:feature_flag))
     prevent(*create_read_update_admin_destroy(:environment))
     prevent(*create_read_update_admin_destroy(:sentry_issue))
@@ -379,6 +386,21 @@ class ProjectPolicy < BasePolicy
     prevent(:read_prometheus)
   end
 
+  rule { split_operations_visibility_permissions & environments_disabled }.policy do
+    prevent(*create_read_update_admin_destroy(:environment))
+    prevent(*create_read_update_admin_destroy(:deployment))
+  end
+
+  rule { split_operations_visibility_permissions & feature_flags_disabled }.policy do
+    prevent(*create_read_update_admin_destroy(:feature_flag))
+    prevent(:admin_feature_flags_user_lists)
+    prevent(:admin_feature_flags_client)
+  end
+
+  rule { split_operations_visibility_permissions & releases_disabled }.policy do
+    prevent(*create_read_update_admin_destroy(:release))
+  end
+
   rule { can?(:metrics_dashboard) }.policy do
     enable :read_prometheus
     enable :read_deployment
@@ -470,6 +492,7 @@ class ProjectPolicy < BasePolicy
     enable :admin_pipeline
     enable :admin_environment
     enable :admin_deployment
+    enable :destroy_deployment
     enable :admin_pages
     enable :read_pages
     enable :update_pages
@@ -497,6 +520,8 @@ class ProjectPolicy < BasePolicy
     enable :admin_project_google_cloud
     enable :admin_secure_files
     enable :read_web_hooks
+    enable :read_upload
+    enable :destroy_upload
   end
 
   rule { public_project & metrics_dashboard_allowed }.policy do
diff --git a/app/policies/system_hook_policy.rb b/app/policies/system_hook_policy.rb
new file mode 100644
index 00000000000..ec28d39a5fa
--- /dev/null
+++ b/app/policies/system_hook_policy.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class SystemHookPolicy < ::BasePolicy
+  rule { admin }.policy do
+    enable :read_web_hook
+    enable :destroy_web_hook
+  end
+end
diff --git a/app/policies/time_tracking/timelog_category_policy.rb b/app/policies/time_tracking/timelog_category_policy.rb
new file mode 100644
index 00000000000..89161cdacfb
--- /dev/null
+++ b/app/policies/time_tracking/timelog_category_policy.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module TimeTracking
+  class TimelogCategoryPolicy < BasePolicy
+    delegate { @subject.namespace }
+  end
+end
diff --git a/app/policies/upload_policy.rb b/app/policies/upload_policy.rb
new file mode 100644
index 00000000000..c7fde5d9df4
--- /dev/null
+++ b/app/policies/upload_policy.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class UploadPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedClass
+  delegate { @subject.model }
+end
diff --git a/app/policies/work_item_policy.rb b/app/policies/work_item_policy.rb
index 2f3561f1135..1ccc152bc6b 100644
--- a/app/policies/work_item_policy.rb
+++ b/app/policies/work_item_policy.rb
@@ -3,9 +3,12 @@
 class WorkItemPolicy < IssuePolicy
   condition(:is_member_and_author) { is_project_member? & is_author? }
 
+  rule { can?(:admin_issue) }.enable :admin_work_item
+
   rule { can?(:destroy_issue) | is_member_and_author }.enable :delete_work_item
 
   rule { can?(:update_issue) }.enable :update_work_item
+  rule { can?(:set_issue_metadata) }.enable :set_work_item_metadata
 
   rule { can?(:read_issue) }.enable :read_work_item
   # because IssuePolicy delegates to ProjectPolicy and