diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-10-29 00:10:45 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-10-29 00:10:45 +0300 |
commit | 71d6b9014bef64436bbd996667e6458ebde561c4 (patch) | |
tree | 21b049d24b2d96be84904576e2b619f82d5d515d /app/policies | |
parent | 0076bbc67375ff1507e42ce479406daf92c0a6a2 (diff) |
Add latest changes from gitlab-org/gitlab@master
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/concerns/member_policy_helpers.rb | 19 | ||||
-rw-r--r-- | app/policies/group_member_policy.rb | 14 | ||||
-rw-r--r-- | app/policies/group_policy.rb | 5 | ||||
-rw-r--r-- | app/policies/project_member_policy.rb | 15 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 2 |
5 files changed, 51 insertions, 4 deletions
diff --git a/app/policies/concerns/member_policy_helpers.rb b/app/policies/concerns/member_policy_helpers.rb new file mode 100644 index 00000000000..6c4a3caf8bf --- /dev/null +++ b/app/policies/concerns/member_policy_helpers.rb @@ -0,0 +1,19 @@ +# frozen_string_literal: true + +module MemberPolicyHelpers + extend ActiveSupport::Concern + + private + + def record_is_access_request_of_self? + record_is_access_request? && record_belongs_to_self? + end + + def record_is_access_request? + @subject.request? # rubocop:disable Gitlab/ModuleWithInstanceVariables + end + + def record_belongs_to_self? + @user && @subject.user == @user # rubocop:disable Gitlab/ModuleWithInstanceVariables + end +end diff --git a/app/policies/group_member_policy.rb b/app/policies/group_member_policy.rb index a394b63fc8e..f61f758a8e8 100644 --- a/app/policies/group_member_policy.rb +++ b/app/policies/group_member_policy.rb @@ -1,6 +1,8 @@ # frozen_string_literal: true class GroupMemberPolicy < BasePolicy + include MemberPolicyHelpers + delegate :group with_scope :subject @@ -9,7 +11,11 @@ class GroupMemberPolicy < BasePolicy desc "Membership is users' own" with_score 0 - condition(:is_target_user) { @user && @subject.user_id == @user.id } + condition(:target_is_self) { record_belongs_to_self? } + + desc "Membership is users' own access request" + with_score 0 + condition(:access_request_of_self) { record_is_access_request_of_self? } rule { anonymous }.policy do prevent :update_group_member @@ -28,9 +34,13 @@ class GroupMemberPolicy < BasePolicy rule { project_bot & can?(:admin_group_member) }.enable :destroy_project_bot_member - rule { is_target_user }.policy do + rule { target_is_self }.policy do enable :destroy_group_member end + + rule { access_request_of_self }.policy do + enable :withdraw_member_access_request + end end GroupMemberPolicy.prepend_mod_with('GroupMemberPolicy') diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 341f22120eb..806c57bab74 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -283,6 +283,11 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy prevent :create_resource_access_tokens end + rule { can?(:admin_group_member) }.policy do + # ability to read, approve or reject member access requests of other users + enable :admin_member_access_request + end + rule { support_bot & has_project_with_service_desk_enabled }.policy do enable :read_label end diff --git a/app/policies/project_member_policy.rb b/app/policies/project_member_policy.rb index 40ba30fce5e..bcfc7c87d41 100644 --- a/app/policies/project_member_policy.rb +++ b/app/policies/project_member_policy.rb @@ -1,13 +1,18 @@ # frozen_string_literal: true class ProjectMemberPolicy < BasePolicy + include MemberPolicyHelpers delegate { @subject.project } condition(:target_is_holder_of_the_personal_namespace, scope: :subject) do @subject.project.personal_namespace_holder?(@subject.user) end - condition(:target_is_self) { @user && @subject.user == @user } + desc "Membership is users' own access request" + with_score 0 + condition(:access_request_of_self) { record_is_access_request_of_self? } + + condition(:target_is_self) { record_belongs_to_self? } condition(:project_bot) { @subject.user&.project_bot? } rule { anonymous }.prevent_all @@ -24,5 +29,11 @@ class ProjectMemberPolicy < BasePolicy rule { project_bot & can?(:admin_project_member) }.enable :destroy_project_bot_member - rule { target_is_self }.enable :destroy_project_member + rule { target_is_self }.policy do + enable :destroy_project_member + end + + rule { access_request_of_self }.policy do + enable :withdraw_member_access_request + end end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 3ba753ab60d..c71b26987a0 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -834,6 +834,8 @@ class ProjectPolicy < BasePolicy rule { can?(:admin_project_member) }.policy do enable :import_project_members_from_another_project + # ability to read, approve or reject member access requests of other users + enable :admin_member_access_request end rule { registry_enabled & can?(:admin_container_image) }.policy do |