diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-05-19 18:44:42 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-05-19 18:44:42 +0300 |
commit | 4555e1b21c365ed8303ffb7a3325d773c9b8bf31 (patch) | |
tree | 5423a1c7516cffe36384133ade12572cf709398d /app/policies | |
parent | e570267f2f6b326480d284e0164a6464ba4081bc (diff) |
Add latest changes from gitlab-org/gitlab@13-12-stable-eev13.12.0-rc42
Diffstat (limited to 'app/policies')
24 files changed, 56 insertions, 29 deletions
diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb index 1c19751cf0d..0f7a6b852ab 100644 --- a/app/policies/base_policy.rb +++ b/app/policies/base_policy.rb @@ -1,7 +1,5 @@ # frozen_string_literal: true -require_dependency 'declarative_policy' - class BasePolicy < DeclarativePolicy::Base desc "User is an instance admin" with_options scope: :user, score: 0 @@ -68,4 +66,4 @@ class BasePolicy < DeclarativePolicy::Base condition(:is_gitlab_com) { ::Gitlab.dev_env_or_com? } end -BasePolicy.prepend_if_ee('EE::BasePolicy') +BasePolicy.prepend_mod_with('BasePolicy') diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index 65f2a70672b..6162a31c118 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -21,7 +21,7 @@ module Ci end # overridden in EE - condition(:protected_environment_access) do + condition(:protected_environment) do false end @@ -68,7 +68,10 @@ module Ci rule { project_read_build }.enable :read_build_trace rule { debug_mode & ~project_update_build }.prevent :read_build_trace - rule { ~protected_environment_access & (protected_ref | archived) }.policy do + # Authorizing the user to access to protected entities. + # There is a "jailbreak" mode to exceptionally bypass the authorization, + # however, you should NEVER allow it, rather suspect it's a wrong feature/product design. + rule { ~can?(:jailbreak) & (archived | protected_ref | protected_environment) }.policy do prevent :update_build prevent :update_commit_status prevent :erase_build @@ -108,4 +111,4 @@ module Ci end end -Ci::BuildPolicy.prepend_if_ee('EE::Ci::BuildPolicy') +Ci::BuildPolicy.prepend_mod_with('Ci::BuildPolicy') diff --git a/app/policies/ci/stage_policy.rb b/app/policies/ci/stage_policy.rb new file mode 100644 index 00000000000..1e774df9f58 --- /dev/null +++ b/app/policies/ci/stage_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +module Ci + class StagePolicy < BasePolicy + delegate :pipeline + end +end diff --git a/app/policies/clusters/instance_policy.rb b/app/policies/clusters/instance_policy.rb index d8e8f9ff2c1..3c5ca4bf4e1 100644 --- a/app/policies/clusters/instance_policy.rb +++ b/app/policies/clusters/instance_policy.rb @@ -13,4 +13,4 @@ module Clusters end end -Clusters::InstancePolicy.prepend_if_ee('EE::Clusters::InstancePolicy') +Clusters::InstancePolicy.prepend_mod_with('Clusters::InstancePolicy') diff --git a/app/policies/concerns/policy_actor.rb b/app/policies/concerns/policy_actor.rb index 75849fb10c8..cd19b46ad6c 100644 --- a/app/policies/concerns/policy_actor.rb +++ b/app/policies/concerns/policy_actor.rb @@ -82,4 +82,4 @@ module PolicyActor end end -PolicyActor.prepend_if_ee('EE::PolicyActor') +PolicyActor.prepend_mod_with('PolicyActor') diff --git a/app/policies/concerns/readonly_abilities.rb b/app/policies/concerns/readonly_abilities.rb index 0303d4cff14..300f17088b7 100644 --- a/app/policies/concerns/readonly_abilities.rb +++ b/app/policies/concerns/readonly_abilities.rb @@ -13,6 +13,7 @@ module ReadonlyAbilities create_merge_request_from create_merge_request_in award_emoji + create_incident ].freeze READONLY_FEATURES = %i[ @@ -49,4 +50,4 @@ module ReadonlyAbilities end end -ReadonlyAbilities::ClassMethods.prepend_if_ee('EE::ReadonlyAbilities::ClassMethods') +ReadonlyAbilities::ClassMethods.prepend_mod_with('ReadonlyAbilities::ClassMethods') diff --git a/app/policies/environment_policy.rb b/app/policies/environment_policy.rb index f0187a39687..e9e3517b3da 100644 --- a/app/policies/environment_policy.rb +++ b/app/policies/environment_policy.rb @@ -21,4 +21,4 @@ class EnvironmentPolicy < BasePolicy rule { ~stopped }.prevent(:destroy_environment) end -EnvironmentPolicy.prepend_if_ee('EE::EnvironmentPolicy') +EnvironmentPolicy.prepend_mod_with('EnvironmentPolicy') diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index d16c4734b2c..85263ec7c87 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -113,4 +113,4 @@ class GlobalPolicy < BasePolicy rule { external_user }.prevent :create_snippet end -GlobalPolicy.prepend_if_ee('EE::GlobalPolicy') +GlobalPolicy.prepend_mod_with('GlobalPolicy') diff --git a/app/policies/group_member_policy.rb b/app/policies/group_member_policy.rb index 8a4cae232a0..f7a7286aba7 100644 --- a/app/policies/group_member_policy.rb +++ b/app/policies/group_member_policy.rb @@ -30,4 +30,4 @@ class GroupMemberPolicy < BasePolicy end end -GroupMemberPolicy.prepend_if_ee('EE::GroupMemberPolicy') +GroupMemberPolicy.prepend_mod_with('GroupMemberPolicy') diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index fc24525ade7..821fabec266 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -258,4 +258,4 @@ class GroupPolicy < BasePolicy end end -GroupPolicy.prepend_if_ee('EE::GroupPolicy') +GroupPolicy.prepend_mod_with('GroupPolicy') diff --git a/app/policies/identity_provider_policy.rb b/app/policies/identity_provider_policy.rb index 6d6dcaebff8..c539fc64d3f 100644 --- a/app/policies/identity_provider_policy.rb +++ b/app/policies/identity_provider_policy.rb @@ -14,4 +14,4 @@ class IdentityProviderPolicy < BasePolicy rule { protected_provider }.prevent(:unlink) end -IdentityProviderPolicy.prepend_if_ee('EE::IdentityProviderPolicy') +IdentityProviderPolicy.prepend_mod_with('IdentityProviderPolicy') diff --git a/app/policies/service_policy.rb b/app/policies/integration_policy.rb index 61aff444620..c1199d915ea 100644 --- a/app/policies/service_policy.rb +++ b/app/policies/integration_policy.rb @@ -1,5 +1,5 @@ # frozen_string_literal: true -class ServicePolicy < BasePolicy +class IntegrationPolicy < BasePolicy delegate(:project) end diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb index f49a6ee8498..61263e47d7c 100644 --- a/app/policies/issuable_policy.rb +++ b/app/policies/issuable_policy.rb @@ -28,4 +28,4 @@ class IssuablePolicy < BasePolicy end end -IssuablePolicy.prepend_if_ee('EE::IssuablePolicy') +IssuablePolicy.prepend_mod_with('IssuablePolicy') diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb index 183f4d8f919..6eec03d6d75 100644 --- a/app/policies/issue_policy.rb +++ b/app/policies/issue_policy.rb @@ -41,4 +41,4 @@ class IssuePolicy < IssuablePolicy end end -IssuePolicy.prepend_if_ee('EE::IssuePolicy') +IssuePolicy.prepend_mod_with('IssuePolicy') diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb index e3fb54172f8..e53a916f3ca 100644 --- a/app/policies/merge_request_policy.rb +++ b/app/policies/merge_request_policy.rb @@ -29,4 +29,4 @@ class MergeRequestPolicy < IssuablePolicy end end -MergeRequestPolicy.prepend_if_ee('EE::MergeRequestPolicy') +MergeRequestPolicy.prepend_mod_with('MergeRequestPolicy') diff --git a/app/policies/namespace_policy.rb b/app/policies/namespace_policy.rb index 13eb4a13cac..dcbeda9f5d3 100644 --- a/app/policies/namespace_policy.rb +++ b/app/policies/namespace_policy.rb @@ -23,4 +23,4 @@ class NamespacePolicy < BasePolicy rule { (owner | admin) & can?(:create_projects) }.enable :transfer_projects end -NamespacePolicy.prepend_if_ee('EE::NamespacePolicy') +NamespacePolicy.prepend_mod_with('NamespacePolicy') diff --git a/app/policies/nil_policy.rb b/app/policies/nil_policy.rb deleted file mode 100644 index fc969f8cd05..00000000000 --- a/app/policies/nil_policy.rb +++ /dev/null @@ -1,5 +0,0 @@ -# frozen_string_literal: true - -class NilPolicy < BasePolicy - rule { default }.prevent_all -end diff --git a/app/policies/packages/maven/metadatum_policy.rb b/app/policies/packages/maven/metadatum_policy.rb new file mode 100644 index 00000000000..5dc90209321 --- /dev/null +++ b/app/policies/packages/maven/metadatum_policy.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true +module Packages + module Maven + class MetadatumPolicy < BasePolicy + delegate { @subject.package } + end + end +end diff --git a/app/policies/packages/nuget/metadatum_policy.rb b/app/policies/packages/nuget/metadatum_policy.rb new file mode 100644 index 00000000000..cdf1283c11a --- /dev/null +++ b/app/policies/packages/nuget/metadatum_policy.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true +module Packages + module Nuget + class MetadatumPolicy < BasePolicy + delegate { @subject.package } + end + end +end diff --git a/app/policies/project_member_policy.rb b/app/policies/project_member_policy.rb index ca33b95e523..91f1eb35506 100644 --- a/app/policies/project_member_policy.rb +++ b/app/policies/project_member_policy.rb @@ -8,7 +8,11 @@ class ProjectMemberPolicy < BasePolicy condition(:project_bot) { @subject.user&.project_bot? } rule { anonymous }.prevent_all - rule { target_is_owner }.prevent_all + + rule { target_is_owner }.policy do + prevent :update_project_member + prevent :destroy_project_member + end rule { ~project_bot & can?(:admin_project_member) }.policy do enable :update_project_member diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index c577c8c8471..1ce19511bef 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -171,6 +171,7 @@ class ProjectPolicy < BasePolicy rule { guest | admin }.enable :read_project_for_iids rule { admin }.enable :update_max_artifacts_size + rule { admin }.enable :read_storage_disk_path rule { can?(:read_all_resources) }.enable :read_confidential_issues rule { guest }.enable :guest_access @@ -226,6 +227,8 @@ class ProjectPolicy < BasePolicy enable :read_insights end + rule { can?(:guest_access) & can?(:create_issue) }.enable :create_incident + # These abilities are not allowed to admins that are not members of the project, # that's why they are defined separately. rule { guest & can?(:download_code) }.enable :build_download_code @@ -745,4 +748,4 @@ class ProjectPolicy < BasePolicy end end -ProjectPolicy.prepend_if_ee('EE::ProjectPolicy') +ProjectPolicy.prepend_mod_with('ProjectPolicy') diff --git a/app/policies/project_snippet_policy.rb b/app/policies/project_snippet_policy.rb index 869f4716298..b8f0be9b4c5 100644 --- a/app/policies/project_snippet_policy.rb +++ b/app/policies/project_snippet_policy.rb @@ -51,4 +51,4 @@ class ProjectSnippetPolicy < BasePolicy rule { ~can?(:read_snippet) }.prevent :create_note end -ProjectSnippetPolicy.prepend_if_ee('EE::ProjectSnippetPolicy') +ProjectSnippetPolicy.prepend_mod_with('ProjectSnippetPolicy') diff --git a/app/policies/protected_branch_policy.rb b/app/policies/protected_branch_policy.rb index 1a5c6528b82..8ad06653e5c 100644 --- a/app/policies/protected_branch_policy.rb +++ b/app/policies/protected_branch_policy.rb @@ -10,4 +10,4 @@ class ProtectedBranchPolicy < BasePolicy end end -ProtectedBranchPolicy.prepend_if_ee('EE::ProtectedBranchPolicy') +ProtectedBranchPolicy.prepend_mod_with('ProtectedBranchPolicy') diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index 48c2bd3f0bd..067f0f6a9d2 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -33,4 +33,4 @@ class UserPolicy < BasePolicy rule { (user_is_self | admin) & ~blocked }.enable :create_user_personal_access_token end -UserPolicy.prepend_if_ee('EE::UserPolicy') +UserPolicy.prepend_mod_with('UserPolicy') |