Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-02-04 00:08:05 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-02-04 00:08:05 +0300
commit: 2eff77c2efe8ad71796561cae3bcd993b9065721 (patch)
tree: 964b2537abbfa9b8c5290ca82327003be52417e3 /app/policies
parent: 8f9307985ea047abb5b8a7c6c56bb644e0b7c363 (diff)
3 files changed, 30 insertions, 0 deletions
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index fa7b117f3cd..d028738ccc9 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -22,6 +22,10 @@ class GlobalPolicy < BasePolicy
   condition(:project_bot, scope: :user) { @user&.project_bot? }
   condition(:migration_bot, scope: :user) { @user&.migration_bot? }
 
+  condition(:create_runner_workflow_enabled) do
+    Feature.enabled?(:create_runner_workflow)
+  end
+
   rule { anonymous }.policy do
     prevent :log_in
     prevent :receive_notifications
@@ -115,6 +119,11 @@ class GlobalPolicy < BasePolicy
     enable :approve_user
     enable :reject_user
     enable :read_usage_trends_measurement
+    enable :create_instance_runners
+  end
+
+  rule { ~create_runner_workflow_enabled }.policy do
+    prevent :create_instance_runners
   end
 
   # We can't use `read_statistics` because the user may have different permissions for different projects
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 1dae2682772..abb3616c58f 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -84,6 +84,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   with_scope :subject
   condition(:crm_enabled, score: 0, scope: :subject) { @subject.crm_enabled? }
 
+  condition(:create_runner_workflow_enabled) do
+    Feature.enabled?(:create_runner_workflow)
+  end
+
   condition(:group_runner_registration_allowed, scope: :subject) do
     Gitlab::CurrentSettings.valid_runner_registrars.include?('group') && @subject.runner_registration_enabled?
   end
@@ -200,6 +204,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     enable :read_group_runners
     enable :admin_group_runners
     enable :register_group_runners
+    enable :create_group_runners
 
     enable :set_note_created_at
     enable :set_emails_disabled
@@ -308,6 +313,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
 
   rule { ~admin & ~group_runner_registration_allowed }.policy do
     prevent :register_group_runners
+    prevent :create_group_runners
   end
 
   rule { migration_bot }.policy do
@@ -319,6 +325,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     enable :read_observability
   end
 
+  rule { ~create_runner_workflow_enabled }.policy do
+    prevent :create_group_runners
+  end
+
   def access_level(for_any_session: false)
     return GroupMember::NO_ACCESS if @user.nil?
     return GroupMember::NO_ACCESS unless user_is_user?
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 4b9e999231e..d198b3bed72 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -234,6 +234,10 @@ class ProjectPolicy < BasePolicy
     Gitlab.config.packages.enabled
   end
 
+  condition(:create_runner_workflow_enabled) do
+    Feature.enabled?(:create_runner_workflow)
+  end
+
   # `:read_project` may be prevented in EE, but `:read_project_for_iids` should
   # not.
   rule { guest | admin }.enable :read_project_for_iids
@@ -272,6 +276,7 @@ class ProjectPolicy < BasePolicy
     enable :set_warn_about_potentially_unwanted_characters
 
     enable :register_project_runners
+    enable :create_project_runners
     enable :manage_owners
   end
 
@@ -522,6 +527,7 @@ class ProjectPolicy < BasePolicy
     enable :destroy_freeze_period
     enable :admin_feature_flags_client
     enable :register_project_runners
+    enable :create_project_runners
     enable :update_runners_registration_token
     enable :admin_project_google_cloud
     enable :admin_secure_files
@@ -826,6 +832,7 @@ class ProjectPolicy < BasePolicy
 
   rule { ~admin & ~project_runner_registration_allowed }.policy do
     prevent :register_project_runners
+    prevent :create_project_runners
   end
 
   rule { can?(:admin_project_member) }.policy do
@@ -850,6 +857,10 @@ class ProjectPolicy < BasePolicy
     enable :read_code
   end
 
+  rule { ~create_runner_workflow_enabled }.policy do
+    prevent :create_project_runners
+  end
+
   private
 
   def user_is_user?
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-02-04 00:08:05 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-02-04 00:08:05 +0300
commit	2eff77c2efe8ad71796561cae3bcd993b9065721 (patch)
tree	964b2537abbfa9b8c5290ca82327003be52417e3 /app/policies
parent	8f9307985ea047abb5b8a7c6c56bb644e0b7c363 (diff)