Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-10-29 00:10:45 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-10-29 00:10:45 +0300
commit: 71d6b9014bef64436bbd996667e6458ebde561c4 (patch)
tree: 21b049d24b2d96be84904576e2b619f82d5d515d /app/policies
parent: 0076bbc67375ff1507e42ce479406daf92c0a6a2 (diff)
5 files changed, 51 insertions, 4 deletions
diff --git a/app/policies/concerns/member_policy_helpers.rb b/app/policies/concerns/member_policy_helpers.rb
new file mode 100644
index 00000000000..6c4a3caf8bf
--- /dev/null
+++ b/app/policies/concerns/member_policy_helpers.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module MemberPolicyHelpers
+  extend ActiveSupport::Concern
+
+  private
+
+  def record_is_access_request_of_self?
+    record_is_access_request? && record_belongs_to_self?
+  end
+
+  def record_is_access_request?
+    @subject.request? # rubocop:disable Gitlab/ModuleWithInstanceVariables
+  end
+
+  def record_belongs_to_self?
+    @user && @subject.user == @user # rubocop:disable Gitlab/ModuleWithInstanceVariables
+  end
+end
diff --git a/app/policies/group_member_policy.rb b/app/policies/group_member_policy.rb
index a394b63fc8e..f61f758a8e8 100644
--- a/app/policies/group_member_policy.rb
+++ b/app/policies/group_member_policy.rb
@@ -1,6 +1,8 @@
 # frozen_string_literal: true
 
 class GroupMemberPolicy < BasePolicy
+  include MemberPolicyHelpers
+
   delegate :group
 
   with_scope :subject
@@ -9,7 +11,11 @@ class GroupMemberPolicy < BasePolicy
 
   desc "Membership is users' own"
   with_score 0
-  condition(:is_target_user) { @user && @subject.user_id == @user.id }
+  condition(:target_is_self) { record_belongs_to_self? }
+
+  desc "Membership is users' own access request"
+  with_score 0
+  condition(:access_request_of_self) { record_is_access_request_of_self? }
 
   rule { anonymous }.policy do
     prevent :update_group_member
@@ -28,9 +34,13 @@ class GroupMemberPolicy < BasePolicy
 
   rule { project_bot & can?(:admin_group_member) }.enable :destroy_project_bot_member
 
-  rule { is_target_user }.policy do
+  rule { target_is_self }.policy do
     enable :destroy_group_member
   end
+
+  rule { access_request_of_self }.policy do
+    enable :withdraw_member_access_request
+  end
 end
 
 GroupMemberPolicy.prepend_mod_with('GroupMemberPolicy')
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 341f22120eb..806c57bab74 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -283,6 +283,11 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     prevent :create_resource_access_tokens
   end
 
+  rule { can?(:admin_group_member) }.policy do
+    # ability to read, approve or reject member access requests of other users
+    enable :admin_member_access_request
+  end
+
   rule { support_bot & has_project_with_service_desk_enabled }.policy do
     enable :read_label
   end
diff --git a/app/policies/project_member_policy.rb b/app/policies/project_member_policy.rb
index 40ba30fce5e..bcfc7c87d41 100644
--- a/app/policies/project_member_policy.rb
+++ b/app/policies/project_member_policy.rb
@@ -1,13 +1,18 @@
 # frozen_string_literal: true
 
 class ProjectMemberPolicy < BasePolicy
+  include MemberPolicyHelpers
   delegate { @subject.project }
 
   condition(:target_is_holder_of_the_personal_namespace, scope: :subject) do
     @subject.project.personal_namespace_holder?(@subject.user)
   end
 
-  condition(:target_is_self) { @user && @subject.user == @user }
+  desc "Membership is users' own access request"
+  with_score 0
+  condition(:access_request_of_self) { record_is_access_request_of_self? }
+
+  condition(:target_is_self) { record_belongs_to_self? }
   condition(:project_bot) { @subject.user&.project_bot? }
 
   rule { anonymous }.prevent_all
@@ -24,5 +29,11 @@ class ProjectMemberPolicy < BasePolicy
 
   rule { project_bot & can?(:admin_project_member) }.enable :destroy_project_bot_member
 
-  rule { target_is_self }.enable :destroy_project_member
+  rule { target_is_self }.policy do
+    enable :destroy_project_member
+  end
+
+  rule { access_request_of_self }.policy do
+    enable :withdraw_member_access_request
+  end
 end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 3ba753ab60d..c71b26987a0 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -834,6 +834,8 @@ class ProjectPolicy < BasePolicy
 
   rule { can?(:admin_project_member) }.policy do
     enable :import_project_members_from_another_project
+    # ability to read, approve or reject member access requests of other users
+    enable :admin_member_access_request
   end
 
   rule { registry_enabled & can?(:admin_container_image) }.policy do
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-10-29 00:10:45 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-10-29 00:10:45 +0300
commit	71d6b9014bef64436bbd996667e6458ebde561c4 (patch)
tree	21b049d24b2d96be84904576e2b619f82d5d515d /app/policies
parent	0076bbc67375ff1507e42ce479406daf92c0a6a2 (diff)