Add latest changes from gitlab-org/gitlab@16-2-stable-eev16.2.0-rc42

4 files changed, 20 insertions, 24 deletions

diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index b96ad9a73c8..bf7bfe36254 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -22,10 +22,6 @@ class GlobalPolicy < BasePolicy
   condition(:project_bot, scope: :user) { @user&.project_bot? }
   condition(:migration_bot, scope: :user) { @user&.migration_bot? }
 
-  condition(:create_runner_workflow_enabled, scope: :user) do
-    Feature.enabled?(:create_runner_workflow_for_admin, @user)
-  end
-
   condition(:service_account, scope: :user) { @user&.service_account? }
 
   rule { anonymous }.policy do
@@ -128,10 +124,6 @@ class GlobalPolicy < BasePolicy
     enable :create_instance_runner
   end
 
-  rule { ~create_runner_workflow_enabled }.policy do
-    prevent :create_instance_runner
-  end
-
   # We can't use `read_statistics` because the user may have different permissions for different projects
   rule { admin }.enable :use_project_statistics_filters
 
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 94a67f5b5c8..29b966b43e2 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -97,10 +97,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   with_scope :subject
   condition(:crm_enabled, score: 0, scope: :subject) { @subject.crm_enabled? }
 
-  condition(:create_runner_workflow_enabled) do
-    Feature.enabled?(:create_runner_workflow_for_namespace, group)
-  end
-
   condition(:achievements_enabled, scope: :subject) do
     Feature.enabled?(:achievements, @subject)
   end
@@ -375,10 +371,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     enable :admin_observability
   end
 
-  rule { ~create_runner_workflow_enabled }.policy do
-    prevent :create_runner
-  end
-
   # Should be matched with ProjectPolicy#read_internal_note
   rule { admin | reporter }.enable :read_internal_note
 
diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb
index 49f9225a1d3..090be645b21 100644
--- a/app/policies/merge_request_policy.rb
+++ b/app/policies/merge_request_policy.rb
@@ -16,6 +16,10 @@ class MergeRequestPolicy < IssuablePolicy
     prevent :accept_merge_request
   end
 
+  rule { can?(:read_merge_request) }.policy do
+    enable :generate_diff_summary
+  end
+
   rule { can_approve }.policy do
     enable :approve_merge_request
   end
@@ -43,6 +47,10 @@ class MergeRequestPolicy < IssuablePolicy
     enable :set_merge_request_metadata
   end
 
+  rule { llm_bot }.policy do
+    enable :generate_diff_summary
+  end
+
   private
 
   def can_approve?
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index c70dc288710..ad6155258ab 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -253,12 +253,12 @@ class ProjectPolicy < BasePolicy
     !Gitlab.config.terraform_state.enabled
   end
 
-  condition(:create_runner_workflow_enabled) do
-    Feature.enabled?(:create_runner_workflow_for_namespace, project.namespace)
-  end
-
   condition(:namespace_catalog_available) { namespace_catalog_available? }
 
+  condition(:created_and_owned_by_banned_user, scope: :subject) do
+    Feature.enabled?(:hide_projects_of_banned_users) && @subject.created_and_owned_by_banned_user?
+  end
+
   # `:read_project` may be prevented in EE, but `:read_project_for_iids` should
   # not.
   rule { guest | admin }.enable :read_project_for_iids
@@ -886,10 +886,6 @@ class ProjectPolicy < BasePolicy
     enable :read_code
   end
 
-  rule { ~create_runner_workflow_enabled }.policy do
-    prevent :create_runner
-  end
-
   # Should be matched with GroupPolicy#read_internal_note
   rule { admin | can?(:reporter_access) }.enable :read_internal_note
 
@@ -909,6 +905,14 @@ class ProjectPolicy < BasePolicy
     enable :read_model_experiments
   end
 
+  rule { can?(:reporter_access) & model_experiments_enabled }.policy do
+    enable :write_model_experiments
+  end
+
+  rule { ~admin & created_and_owned_by_banned_user }.policy do
+    prevent :read_project
+  end
+
   private
 
   def user_is_user?