diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-09-20 02:18:09 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-09-20 02:18:09 +0300 |
commit | 6ed4ec3e0b1340f96b7c043ef51d1b33bbe85fde (patch) | |
tree | dc4d20fe6064752c0bd323187252c77e0a89144b /app/policies | |
parent | 9868dae7fc0655bd7ce4a6887d4e6d487690eeed (diff) |
Add latest changes from gitlab-org/gitlab@15-4-stable-eev15.4.0-rc42
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/ci/build_policy.rb | 8 | ||||
-rw-r--r-- | app/policies/ci/job_artifact_policy.rb | 7 | ||||
-rw-r--r-- | app/policies/ci/runner_policy.rb | 52 | ||||
-rw-r--r-- | app/policies/group_policy.rb | 22 | ||||
-rw-r--r-- | app/policies/issuable_policy.rb | 5 | ||||
-rw-r--r-- | app/policies/packages/package_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/packages/policies/group_policy.rb | 27 | ||||
-rw-r--r-- | app/policies/packages/policies/project_policy.rb | 54 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 8 | ||||
-rw-r--r-- | app/policies/protected_branch_access_policy.rb | 5 | ||||
-rw-r--r-- | app/policies/protected_branch_policy.rb | 1 |
11 files changed, 174 insertions, 17 deletions
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index f377ff85b5e..b657b569e3e 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -2,6 +2,8 @@ module Ci class BuildPolicy < CommitStatusPolicy + delegate { @subject.project } + condition(:protected_ref) do access = ::Gitlab::UserAccess.new(@user, container: @subject.project) @@ -25,6 +27,10 @@ module Ci false end + condition(:prevent_rollback) do + @subject.prevent_rollback_deployment? + end + condition(:owner_of_job) do @subject.triggered_by?(@user) end @@ -71,7 +77,7 @@ module Ci # Authorizing the user to access to protected entities. # There is a "jailbreak" mode to exceptionally bypass the authorization, # however, you should NEVER allow it, rather suspect it's a wrong feature/product design. - rule { ~can?(:jailbreak) & (archived | protected_ref | protected_environment) }.policy do + rule { ~can?(:jailbreak) & (archived | protected_ref | protected_environment | prevent_rollback) }.policy do prevent :update_build prevent :update_commit_status prevent :erase_build diff --git a/app/policies/ci/job_artifact_policy.rb b/app/policies/ci/job_artifact_policy.rb new file mode 100644 index 00000000000..e25c7311565 --- /dev/null +++ b/app/policies/ci/job_artifact_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +module Ci + class JobArtifactPolicy < BasePolicy + delegate { @subject.job.project } + end +end diff --git a/app/policies/ci/runner_policy.rb b/app/policies/ci/runner_policy.rb index 8a99f4d1a3e..a52dac446ea 100644 --- a/app/policies/ci/runner_policy.rb +++ b/app/policies/ci/runner_policy.rb @@ -9,19 +9,65 @@ module Ci @user.owns_runner?(@subject) end - condition(:belongs_to_multiple_projects) do + with_options scope: :subject, score: 0 + condition(:is_instance_runner) do + @subject.instance_type? + end + + with_options scope: :subject, score: 0 + condition(:is_group_runner) do + @subject.group_type? + end + + with_options scope: :user, score: 5 + condition(:any_developer_groups_inheriting_shared_runners) do + @user.developer_groups.with_shared_runners_enabled.any? + end + + with_options scope: :user, score: 5 + condition(:any_developer_projects_inheriting_shared_runners) do + @user.authorized_projects(Gitlab::Access::DEVELOPER).with_shared_runners_enabled.any? + end + + with_options score: 10 + condition(:any_associated_projects_in_group_runner_inheriting_group_runners) do + # Check if any projects where user is a developer are inheriting group runners + @subject.groups&.any? do |group| + group.all_projects + .with_group_runners_enabled + .visible_to_user_and_access_level(@user, Gitlab::Access::DEVELOPER) + .exists? + end + end + + condition(:belongs_to_multiple_projects, scope: :subject) do @subject.belongs_to_more_than_one_project? end rule { anonymous }.prevent_all - rule { admin }.policy do + rule { admin | owned_runner }.policy do enable :read_builds end rule { admin | owned_runner }.policy do - enable :assign_runner enable :read_runner + end + + rule { is_instance_runner & any_developer_groups_inheriting_shared_runners }.policy do + enable :read_runner + end + + rule { is_instance_runner & any_developer_projects_inheriting_shared_runners }.policy do + enable :read_runner + end + + rule { is_group_runner & any_associated_projects_in_group_runner_inheriting_group_runners }.policy do + enable :read_runner + end + + rule { admin | owned_runner }.policy do + enable :assign_runner enable :update_runner enable :delete_runner end diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 44393539327..96da0518dc0 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -59,6 +59,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy access_level(for_any_session: true) >= GroupMember::GUEST || valid_dependency_proxy_deploy_token end + condition(:observability_enabled) do + Feature.enabled?(:observability_group_tab, @subject) + end + desc "Deploy token with read_package_registry scope" condition(:read_package_registry_deploy_token) do @user.is_a?(DeployToken) && @user.groups.include?(@subject) && @user.read_package_registry @@ -82,10 +86,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('group') end - condition(:change_prevent_sharing_groups_outside_hierarchy_available) do - change_prevent_sharing_groups_outside_hierarchy_available? - end - rule { can?(:read_group) & design_management_enabled }.policy do enable :read_design_activity end @@ -196,6 +196,8 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :set_note_created_at enable :set_emails_disabled + enable :change_prevent_sharing_groups_outside_hierarchy + enable :set_show_diff_preview_in_email enable :change_new_user_signups_cap enable :update_default_branch_protection enable :create_deploy_token @@ -204,10 +206,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :owner_access end - rule { owner & change_prevent_sharing_groups_outside_hierarchy_available }.policy do - enable :change_prevent_sharing_groups_outside_hierarchy - end - rule { can?(:read_nested_project_resources) }.policy do enable :read_group_activity enable :read_group_issues @@ -299,6 +297,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :destroy_resource_access_tokens end + rule { can?(:developer_access) & observability_enabled }.policy do + enable :read_observability + end + def access_level(for_any_session: false) return GroupMember::NO_ACCESS if @user.nil? return GroupMember::NO_ACCESS unless user_is_user? @@ -335,10 +337,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy def valid_dependency_proxy_deploy_token @user.is_a?(DeployToken) && @user&.valid_for_dependency_proxy? && @user&.has_access_to_group?(@subject) end - - def change_prevent_sharing_groups_outside_hierarchy_available? - true - end end GroupPolicy.prepend_mod_with('GroupPolicy') diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb index 3c5e1020c8a..e5913bab726 100644 --- a/app/policies/issuable_policy.rb +++ b/app/policies/issuable_policy.rb @@ -5,6 +5,7 @@ class IssuablePolicy < BasePolicy condition(:locked, scope: :subject, score: 0) { @subject.discussion_locked? } condition(:is_project_member) { @user && @subject.project && @subject.project.team.member?(@user) } + condition(:can_read_issuable) { can?(:"read_#{@subject.to_ability_name}") } desc "User is the assignee or author" condition(:assignee_or_author) do @@ -48,6 +49,10 @@ class IssuablePolicy < BasePolicy rule { can?(:reporter_access) }.policy do enable :create_timelog end + + rule { can_read_issuable }.policy do + enable :read_issuable + end end IssuablePolicy.prepend_mod_with('IssuablePolicy') diff --git a/app/policies/packages/package_policy.rb b/app/policies/packages/package_policy.rb index 8eef280c640..829d62a6430 100644 --- a/app/policies/packages/package_policy.rb +++ b/app/policies/packages/package_policy.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true module Packages class PackagePolicy < BasePolicy - delegate { @subject.project } + delegate { @subject.project&.packages_policy_subject } end end diff --git a/app/policies/packages/policies/group_policy.rb b/app/policies/packages/policies/group_policy.rb new file mode 100644 index 00000000000..32dbcb1b65b --- /dev/null +++ b/app/policies/packages/policies/group_policy.rb @@ -0,0 +1,27 @@ +# frozen_string_literal: true + +module Packages + module Policies + class GroupPolicy < BasePolicy + delegate(:group) { @subject.group } + + overrides(:read_package) + + rule { group.public_group }.policy do + enable :read_package + end + + rule { group.reporter }.policy do + enable :read_package + end + + rule { group.read_package_registry_deploy_token }.policy do + enable :read_package + end + + rule { group.write_package_registry_deploy_token }.policy do + enable :read_package + end + end + end +end diff --git a/app/policies/packages/policies/project_policy.rb b/app/policies/packages/policies/project_policy.rb new file mode 100644 index 00000000000..c754d24349a --- /dev/null +++ b/app/policies/packages/policies/project_policy.rb @@ -0,0 +1,54 @@ +# frozen_string_literal: true + +module Packages + module Policies + class ProjectPolicy < BasePolicy + delegate(:project) { @subject.project } + + overrides(:read_package) + + condition(:package_registry_access_level_feature_flag_enabled, scope: :subject) do + ::Feature.enabled?(:package_registry_access_level, @subject) + end + + condition(:packages_enabled_for_everyone, scope: :subject) do + @subject.package_registry_access_level == ProjectFeature::PUBLIC + end + + # This rule can be removed if the `package_registry_access_level` feature flag is removed. + # Reason: If the feature flag is globally enabled, this rule will never be executed. + rule { anonymous & ~project.public_project & ~package_registry_access_level_feature_flag_enabled }.prevent_all + + # This rule can be removed if the `package_registry_access_level` feature flag is removed. + # Reason: If the feature flag is globally enabled, this rule will never be executed. + rule do + ~project.public_project & ~project.internal_access & + ~project.project_allowed_for_job_token & ~package_registry_access_level_feature_flag_enabled + end.prevent_all + + rule { project.packages_disabled }.policy do + prevent(:read_package) + end + + rule { can?(:reporter_access) }.policy do + enable :read_package + end + + rule { can?(:public_access) }.policy do + enable :read_package + end + + rule { project.read_package_registry_deploy_token }.policy do + enable :read_package + end + + rule { project.write_package_registry_deploy_token }.policy do + enable :read_package + end + + rule { package_registry_access_level_feature_flag_enabled & packages_enabled_for_everyone }.policy do + enable :read_package + end + end + end +end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index f4f7275a78a..fb162d03955 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -208,6 +208,7 @@ class ProjectPolicy < BasePolicy metrics_dashboard analytics operations + monitor security_and_compliance environments feature_flags @@ -267,6 +268,7 @@ class ProjectPolicy < BasePolicy enable :set_note_created_at enable :set_emails_disabled enable :set_show_default_award_emojis + enable :set_show_diff_preview_in_email enable :set_warn_about_potentially_unwanted_characters enable :register_project_runners @@ -401,6 +403,12 @@ class ProjectPolicy < BasePolicy prevent(*create_read_update_admin_destroy(:release)) end + rule { split_operations_visibility_permissions & monitor_disabled }.policy do + prevent(:metrics_dashboard) + prevent(*create_read_update_admin_destroy(:sentry_issue)) + prevent(*create_read_update_admin_destroy(:alert_management_alert)) + end + rule { can?(:metrics_dashboard) }.policy do enable :read_prometheus enable :read_deployment diff --git a/app/policies/protected_branch_access_policy.rb b/app/policies/protected_branch_access_policy.rb new file mode 100644 index 00000000000..4f33af89d2a --- /dev/null +++ b/app/policies/protected_branch_access_policy.rb @@ -0,0 +1,5 @@ +# frozen_string_literal: true + +class ProtectedBranchAccessPolicy < BasePolicy + delegate { @subject.protected_branch } +end diff --git a/app/policies/protected_branch_policy.rb b/app/policies/protected_branch_policy.rb index 8ad06653e5c..2be96ea7f24 100644 --- a/app/policies/protected_branch_policy.rb +++ b/app/policies/protected_branch_policy.rb @@ -4,6 +4,7 @@ class ProtectedBranchPolicy < BasePolicy delegate { @subject.project } rule { can?(:admin_project) }.policy do + enable :read_protected_branch enable :create_protected_branch enable :update_protected_branch enable :destroy_protected_branch |