diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-10 06:07:25 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-10 06:07:25 +0300 |
commit | 4a6dacc8662ed65c0b83a3715e4eb05a78168db1 (patch) | |
tree | 04aced9d7d60c1213db9d5152158afe02126599f /app/policies | |
parent | 070ac34d473978dc27ea2878ed1cf17865e24e9a (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/group_policy.rb | 9 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 14 |
2 files changed, 20 insertions, 3 deletions
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 858c145de3f..8eea995529c 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -273,6 +273,9 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy rule { can?(:admin_group) & resource_access_token_feature_available }.policy do enable :read_resource_access_tokens enable :destroy_resource_access_tokens + end + + rule { can?(:admin_group) & resource_access_token_creation_allowed }.policy do enable :admin_setting_to_allow_project_access_token_creation end @@ -338,12 +341,16 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy true end + def resource_access_token_create_feature_available? + true + end + def can_read_group_member? !(@subject.private? && access_level == GroupMember::NO_ACCESS) end def resource_access_token_creation_allowed? - resource_access_token_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed? + resource_access_token_create_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed? end def valid_dependency_proxy_deploy_token diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 7f67e80e432..b85a57f81cd 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -157,7 +157,9 @@ class ProjectPolicy < BasePolicy condition(:service_desk_enabled) { @subject.service_desk_enabled? } with_scope :subject - condition(:resource_access_token_feature_available) { resource_access_token_feature_available? } + condition(:resource_access_token_feature_available) do + resource_access_token_feature_available? + end condition(:resource_access_token_creation_allowed) { resource_access_token_creation_allowed? } # We aren't checking `:read_issue` or `:read_merge_request` in this case @@ -308,6 +310,8 @@ class ProjectPolicy < BasePolicy rule { guest & can?(:download_code) }.enable :build_download_code rule { guest & can?(:read_container_image) }.enable :build_read_container_image + rule { guest & ~public_project }.enable :read_grafana + rule { can?(:reporter_access) }.policy do enable :admin_issue_board enable :download_code @@ -340,6 +344,7 @@ class ProjectPolicy < BasePolicy enable :read_package enable :read_product_analytics enable :read_ci_cd_analytics + enable :read_grafana end # We define `:public_user_access` separately because there are cases in gitlab-ee @@ -521,6 +526,7 @@ class ProjectPolicy < BasePolicy enable :read_upload enable :destroy_upload enable :admin_incident_management_timeline_event_tag + enable :stop_environment end rule { public_project & metrics_dashboard_allowed }.policy do @@ -919,12 +925,16 @@ class ProjectPolicy < BasePolicy true end + def resource_access_token_create_feature_available? + true + end + def resource_access_token_creation_allowed? group = project.group return true unless group # always enable for projects in personal namespaces - resource_access_token_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed? + resource_access_token_create_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed? end def project |