diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-02-04 00:08:05 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-02-04 00:08:05 +0300 |
commit | 2eff77c2efe8ad71796561cae3bcd993b9065721 (patch) | |
tree | 964b2537abbfa9b8c5290ca82327003be52417e3 /app/policies | |
parent | 8f9307985ea047abb5b8a7c6c56bb644e0b7c363 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/global_policy.rb | 9 | ||||
-rw-r--r-- | app/policies/group_policy.rb | 10 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 11 |
3 files changed, 30 insertions, 0 deletions
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index fa7b117f3cd..d028738ccc9 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -22,6 +22,10 @@ class GlobalPolicy < BasePolicy condition(:project_bot, scope: :user) { @user&.project_bot? } condition(:migration_bot, scope: :user) { @user&.migration_bot? } + condition(:create_runner_workflow_enabled) do + Feature.enabled?(:create_runner_workflow) + end + rule { anonymous }.policy do prevent :log_in prevent :receive_notifications @@ -115,6 +119,11 @@ class GlobalPolicy < BasePolicy enable :approve_user enable :reject_user enable :read_usage_trends_measurement + enable :create_instance_runners + end + + rule { ~create_runner_workflow_enabled }.policy do + prevent :create_instance_runners end # We can't use `read_statistics` because the user may have different permissions for different projects diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 1dae2682772..abb3616c58f 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -84,6 +84,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy with_scope :subject condition(:crm_enabled, score: 0, scope: :subject) { @subject.crm_enabled? } + condition(:create_runner_workflow_enabled) do + Feature.enabled?(:create_runner_workflow) + end + condition(:group_runner_registration_allowed, scope: :subject) do Gitlab::CurrentSettings.valid_runner_registrars.include?('group') && @subject.runner_registration_enabled? end @@ -200,6 +204,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_group_runners enable :admin_group_runners enable :register_group_runners + enable :create_group_runners enable :set_note_created_at enable :set_emails_disabled @@ -308,6 +313,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy rule { ~admin & ~group_runner_registration_allowed }.policy do prevent :register_group_runners + prevent :create_group_runners end rule { migration_bot }.policy do @@ -319,6 +325,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_observability end + rule { ~create_runner_workflow_enabled }.policy do + prevent :create_group_runners + end + def access_level(for_any_session: false) return GroupMember::NO_ACCESS if @user.nil? return GroupMember::NO_ACCESS unless user_is_user? diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 4b9e999231e..d198b3bed72 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -234,6 +234,10 @@ class ProjectPolicy < BasePolicy Gitlab.config.packages.enabled end + condition(:create_runner_workflow_enabled) do + Feature.enabled?(:create_runner_workflow) + end + # `:read_project` may be prevented in EE, but `:read_project_for_iids` should # not. rule { guest | admin }.enable :read_project_for_iids @@ -272,6 +276,7 @@ class ProjectPolicy < BasePolicy enable :set_warn_about_potentially_unwanted_characters enable :register_project_runners + enable :create_project_runners enable :manage_owners end @@ -522,6 +527,7 @@ class ProjectPolicy < BasePolicy enable :destroy_freeze_period enable :admin_feature_flags_client enable :register_project_runners + enable :create_project_runners enable :update_runners_registration_token enable :admin_project_google_cloud enable :admin_secure_files @@ -826,6 +832,7 @@ class ProjectPolicy < BasePolicy rule { ~admin & ~project_runner_registration_allowed }.policy do prevent :register_project_runners + prevent :create_project_runners end rule { can?(:admin_project_member) }.policy do @@ -850,6 +857,10 @@ class ProjectPolicy < BasePolicy enable :read_code end + rule { ~create_runner_workflow_enabled }.policy do + prevent :create_project_runners + end + private def user_is_user? |