diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-02-18 13:34:06 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-02-18 13:34:06 +0300 |
commit | 859a6fb938bb9ee2a317c46dfa4fcc1af49608f0 (patch) | |
tree | d7f2700abe6b4ffcb2dcfc80631b2d87d0609239 /app/policies | |
parent | 446d496a6d000c73a304be52587cd9bbc7493136 (diff) |
Add latest changes from gitlab-org/gitlab@13-9-stable-eev13.9.0-rc42
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/application_setting_policy.rb | 5 | ||||
-rw-r--r-- | app/policies/event_policy.rb | 9 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 17 |
3 files changed, 28 insertions, 3 deletions
diff --git a/app/policies/application_setting_policy.rb b/app/policies/application_setting_policy.rb new file mode 100644 index 00000000000..114c71fd99d --- /dev/null +++ b/app/policies/application_setting_policy.rb @@ -0,0 +1,5 @@ +# frozen_string_literal: true + +class ApplicationSettingPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedClass + rule { admin }.enable :read_application_setting +end diff --git a/app/policies/event_policy.rb b/app/policies/event_policy.rb new file mode 100644 index 00000000000..5587956855e --- /dev/null +++ b/app/policies/event_policy.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +class EventPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedClass + condition(:visible_to_user) do + subject.visible_to_user?(user) + end + + rule { visible_to_user }.enable :read_event +end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 6135523a2f8..aaf985d6c63 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -30,6 +30,9 @@ class ProjectPolicy < BasePolicy desc "User has maintainer access" condition(:maintainer) { team_access_level >= Gitlab::Access::MAINTAINER } + desc "User is a project bot" + condition(:project_bot) { user.project_bot? && team_member? } + desc "Project is public" condition(:public_project, scope: :subject, score: 0) { project.public? } @@ -79,7 +82,7 @@ class ProjectPolicy < BasePolicy with_scope :subject condition(:metrics_dashboard_allowed) do - feature_available?(:metrics_dashboard) + access_allowed_to?(:metrics_dashboard) end with_scope :global @@ -158,7 +161,7 @@ class ProjectPolicy < BasePolicy features.each do |f| # these are scored high because they are unlikely desc "Project has #{f} disabled" - condition(:"#{f}_disabled", score: 32) { !feature_available?(f.to_sym) } + condition(:"#{f}_disabled", score: 32) { !access_allowed_to?(f.to_sym) } end # `:read_project` may be prevented in EE, but `:read_project_for_iids` should @@ -583,6 +586,10 @@ class ProjectPolicy < BasePolicy enable :read_issue_link end + rule { can?(:developer_access) }.policy do + enable :read_security_configuration + end + # Design abilities could also be prevented in the issue policy. rule { design_management_disabled }.policy do prevent :read_design @@ -621,10 +628,14 @@ class ProjectPolicy < BasePolicy prevent :read_project end + rule { project_bot }.enable :project_bot_access + rule { resource_access_token_available & can?(:admin_project) }.policy do enable :admin_resource_access_tokens end + rule { can?(:project_bot_access) }.prevent :admin_resource_access_tokens + rule { user_defined_variables_allowed | can?(:maintainer_access) }.policy do enable :set_pipeline_variables end @@ -690,7 +701,7 @@ class ProjectPolicy < BasePolicy project.team.max_member_access(@user.id) end - def feature_available?(feature) + def access_allowed_to?(feature) return false unless project.project_feature case project.project_feature.access_level(feature) |