diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-02-18 12:45:46 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-02-18 12:45:46 +0300 |
commit | a7b3560714b4d9cc4ab32dffcd1f74a284b93580 (patch) | |
tree | 7452bd5c3545c2fa67a28aa013835fb4fa071baf /app/policies | |
parent | ee9173579ae56a3dbfe5afe9f9410c65bb327ca7 (diff) |
Add latest changes from gitlab-org/gitlab@14-8-stable-eev14.8.0-rc42
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/ci/project_pipelines_policy.rb | 7 | ||||
-rw-r--r-- | app/policies/ci/runner_policy.rb | 4 | ||||
-rw-r--r-- | app/policies/group_policy.rb | 3 | ||||
-rw-r--r-- | app/policies/note_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 8 | ||||
-rw-r--r-- | app/policies/work_item_policy.rb | 12 |
6 files changed, 32 insertions, 4 deletions
diff --git a/app/policies/ci/project_pipelines_policy.rb b/app/policies/ci/project_pipelines_policy.rb new file mode 100644 index 00000000000..aab1208a8fe --- /dev/null +++ b/app/policies/ci/project_pipelines_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +module Ci + class ProjectPipelinesPolicy < BasePolicy + delegate { @subject.project } + end +end diff --git a/app/policies/ci/runner_policy.rb b/app/policies/ci/runner_policy.rb index 43478cf36c2..bdbe7021276 100644 --- a/app/policies/ci/runner_policy.rb +++ b/app/policies/ci/runner_policy.rb @@ -11,6 +11,10 @@ module Ci rule { anonymous }.prevent_all + rule { admin }.policy do + enable :read_builds + end + rule { admin | owned_runner }.policy do enable :assign_runner enable :read_runner diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index fee47fe0ae9..76e5b3ece53 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -100,6 +100,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_group enable :upload_file enable :guest_access + enable :read_release end rule { admin }.policy do @@ -144,6 +145,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :developer_access enable :admin_crm_organization enable :admin_crm_contact + enable :read_cluster end rule { reporter }.policy do @@ -166,7 +168,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :create_projects enable :admin_pipeline enable :admin_build - enable :read_cluster enable :add_cluster enable :create_cluster enable :update_cluster diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb index d9ea7c38f11..e85f18f2d37 100644 --- a/app/policies/note_policy.rb +++ b/app/policies/note_policy.rb @@ -16,7 +16,7 @@ class NotePolicy < BasePolicy condition(:for_design) { @subject.for_design? } - condition(:is_visible) { @subject.system_note_with_references_visible_for?(@user) } + condition(:is_visible) { @subject.system_note_visible_for?(@user) } condition(:confidential, scope: :subject) { @subject.confidential? } diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 55f43cd9f7b..4cc5ed06d61 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -240,6 +240,7 @@ class ProjectPolicy < BasePolicy enable :read_wiki enable :read_issue enable :read_label + enable :read_planning_hierarchy enable :read_milestone enable :read_snippet enable :read_project_member @@ -258,11 +259,13 @@ class ProjectPolicy < BasePolicy rule { can?(:reporter_access) & can?(:create_issue) }.enable :create_incident - rule { can?(:guest_access) & can?(:create_issue) }.policy do + rule { can?(:create_issue) }.policy do enable :create_task enable :create_work_item end + rule { can?(:update_issue) }.enable :update_work_item + # These abilities are not allowed to admins that are not members of the project, # that's why they are defined separately. rule { guest & can?(:download_code) }.enable :build_download_code @@ -385,6 +388,7 @@ class ProjectPolicy < BasePolicy enable :destroy_environment enable :create_deployment enable :update_deployment + enable :read_cluster enable :create_release enable :update_release enable :destroy_release @@ -433,7 +437,6 @@ class ProjectPolicy < BasePolicy enable :read_pages enable :update_pages enable :remove_pages - enable :read_cluster enable :add_cluster enable :create_cluster enable :update_cluster @@ -572,6 +575,7 @@ class ProjectPolicy < BasePolicy enable :read_issue_board_list enable :read_wiki enable :read_label + enable :read_planning_hierarchy enable :read_milestone enable :read_snippet enable :read_project_member diff --git a/app/policies/work_item_policy.rb b/app/policies/work_item_policy.rb new file mode 100644 index 00000000000..7ba5102a406 --- /dev/null +++ b/app/policies/work_item_policy.rb @@ -0,0 +1,12 @@ +# frozen_string_literal: true + +class WorkItemPolicy < BasePolicy + delegate { @subject.project } + + desc 'User is author of the work item' + condition(:author) do + @user && @user == @subject.author + end + + rule { can?(:owner_access) | author }.enable :delete_work_item +end |