diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-10-20 12:40:42 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-10-20 12:40:42 +0300 |
| commit | ee664acb356f8123f4f6b00b73c1e1cf0866c7fb (patch) | |
| tree | f8479f94a28f66654c6a4f6fb99bad6b4e86a40e /app/policies | |
| parent | 62f7d5c5b69180e82ae8196b7b429eeffc8e7b4f (diff) | |
Add latest changes from gitlab-org/gitlab@15-5-stable-eev15.5.0-rc42
Diffstat (limited to 'app/policies')
| -rw-r--r-- | app/policies/ci/runner_policy.rb | 11 | ||||
| -rw-r--r-- | app/policies/group_label_policy.rb | 2 | ||||
| -rw-r--r-- | app/policies/group_policy.rb | 20 | ||||
| -rw-r--r-- | app/policies/issuable_policy.rb | 12 | ||||
| -rw-r--r-- | app/policies/issue_policy.rb | 4 | ||||
| -rw-r--r-- | app/policies/namespaces/user_namespace_policy.rb | 2 | ||||
| -rw-r--r-- | app/policies/note_policy.rb | 3 | ||||
| -rw-r--r-- | app/policies/project_label_policy.rb | 2 | ||||
| -rw-r--r-- | app/policies/project_policy.rb | 7 | ||||
| -rw-r--r-- | app/policies/todo_policy.rb | 2 |
10 files changed, 38 insertions, 27 deletions
diff --git a/app/policies/ci/runner_policy.rb b/app/policies/ci/runner_policy.rb index a52dac446ea..1c23b367489 100644 --- a/app/policies/ci/runner_policy.rb +++ b/app/policies/ci/runner_policy.rb @@ -20,8 +20,8 @@ module Ci end with_options scope: :user, score: 5 - condition(:any_developer_groups_inheriting_shared_runners) do - @user.developer_groups.with_shared_runners_enabled.any? + condition(:any_developer_maintainer_owned_groups_inheriting_shared_runners) do + @user.developer_maintainer_owned_groups.with_shared_runners_enabled.any? end with_options scope: :user, score: 5 @@ -31,7 +31,7 @@ module Ci with_options score: 10 condition(:any_associated_projects_in_group_runner_inheriting_group_runners) do - # Check if any projects where user is a developer are inheriting group runners + # Check if any projects where user is a developer+ are inheriting group runners @subject.groups&.any? do |group| group.all_projects .with_group_runners_enabled @@ -48,13 +48,10 @@ module Ci rule { admin | owned_runner }.policy do enable :read_builds - end - - rule { admin | owned_runner }.policy do enable :read_runner end - rule { is_instance_runner & any_developer_groups_inheriting_shared_runners }.policy do + rule { is_instance_runner & any_developer_maintainer_owned_groups_inheriting_shared_runners }.policy do enable :read_runner end diff --git a/app/policies/group_label_policy.rb b/app/policies/group_label_policy.rb index 9f3acd44b23..4a848e44fec 100644 --- a/app/policies/group_label_policy.rb +++ b/app/policies/group_label_policy.rb @@ -1,5 +1,5 @@ # frozen_string_literal: true class GroupLabelPolicy < BasePolicy - delegate { @subject.group } + delegate { @subject.parent_container } end diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 96da0518dc0..7a0fb10928a 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -35,15 +35,15 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy with_options scope: :subject, score: 0 condition(:request_access_enabled) { @subject.request_access_enabled } - condition(:create_projects_disabled) do + condition(:create_projects_disabled, scope: :subject) do @subject.project_creation_level == ::Gitlab::Access::NO_ONE_PROJECT_ACCESS end - condition(:developer_maintainer_access) do + condition(:developer_maintainer_access, scope: :subject) do @subject.project_creation_level == ::Gitlab::Access::DEVELOPER_MAINTAINER_PROJECT_ACCESS end - condition(:maintainer_can_create_group) do + condition(:maintainer_can_create_group, scope: :subject) do @subject.subgroup_creation_level == ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS end @@ -51,7 +51,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy group_projects_for(user: @user, group: @subject, only_owned: false).any? { |p| p.design_management_enabled? } end - condition(:dependency_proxy_available) do + condition(:dependency_proxy_available, scope: :subject) do @subject.dependency_proxy_feature_available? end @@ -59,7 +59,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy access_level(for_any_session: true) >= GroupMember::GUEST || valid_dependency_proxy_deploy_token end - condition(:observability_enabled) do + condition(:observability_enabled, scope: :subject) do Feature.enabled?(:observability_group_tab, @subject) end @@ -80,10 +80,11 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy with_scope :subject condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? } + with_scope :subject condition(:crm_enabled, score: 0, scope: :subject) { @subject.crm_enabled? } - condition(:group_runner_registration_allowed) do - Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('group') + condition(:group_runner_registration_allowed, scope: :global) do + Gitlab::CurrentSettings.valid_runner_registrars.include?('group') end rule { can?(:read_group) & design_management_enabled }.policy do @@ -149,6 +150,8 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :admin_crm_organization enable :admin_crm_contact enable :read_cluster + + enable :read_group_all_available_runners end rule { reporter }.policy do @@ -204,6 +207,9 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :destroy_deploy_token enable :update_runners_registration_token enable :owner_access + + enable :read_billing + enable :edit_billing end rule { can?(:read_nested_project_resources) }.policy do diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb index e864ce8752a..df065b24e64 100644 --- a/app/policies/issuable_policy.rb +++ b/app/policies/issuable_policy.rb @@ -22,12 +22,6 @@ class IssuablePolicy < BasePolicy enable :reopen_issue end - # This rule replicates permissions in NotePolicy#can_read_confidential and it's used in - # TodoPolicy for performance reasons - rule { can?(:reporter_access) | assignee_or_author | admin }.policy do - enable :read_confidential_notes - end - rule { can?(:read_merge_request) & assignee_or_author }.policy do enable :update_merge_request enable :reopen_merge_request @@ -58,6 +52,12 @@ class IssuablePolicy < BasePolicy rule { can_read_issuable }.policy do enable :read_issuable + enable :read_issuable_participables + end + + # This rule replicates permissions in NotePolicy#can_read_confidential + rule { can?(:reporter_access) | assignee_or_author | admin }.policy do + enable :read_internal_note end end diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb index 0a0a35d41cc..87db228a698 100644 --- a/app/policies/issue_policy.rb +++ b/app/policies/issue_policy.rb @@ -81,6 +81,10 @@ class IssuePolicy < IssuablePolicy rule { can?(:set_issue_metadata) & can_read_crm_contacts }.policy do enable :set_issue_crm_contacts end + + rule { can?(:reporter_access) }.policy do + enable :mark_note_as_confidential + end end IssuePolicy.prepend_mod_with('IssuePolicy') diff --git a/app/policies/namespaces/user_namespace_policy.rb b/app/policies/namespaces/user_namespace_policy.rb index 028247497e5..89158578ac1 100644 --- a/app/policies/namespaces/user_namespace_policy.rb +++ b/app/policies/namespaces/user_namespace_policy.rb @@ -15,6 +15,8 @@ module Namespaces enable :read_statistics enable :create_jira_connect_subscription enable :admin_package + enable :read_billing + enable :edit_billing end rule { ~can_create_personal_project }.prevent :create_projects diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb index 1bffcc5aea2..dbfc63a0069 100644 --- a/app/policies/note_policy.rb +++ b/app/policies/note_policy.rb @@ -20,7 +20,8 @@ class NotePolicy < BasePolicy condition(:confidential, scope: :subject) { @subject.confidential? } - # If this condition changes IssuablePolicy#read_confidential_notes should be updated too + # Should be matched with IssuablePolicy#read_internal_note + # and EpicPolicy#read_internal_note condition(:can_read_confidential) do access_level >= Gitlab::Access::REPORTER || @subject.noteable_assignee_or_author?(@user) || admin? end diff --git a/app/policies/project_label_policy.rb b/app/policies/project_label_policy.rb index 5ce896ecaf2..6656d5990a5 100644 --- a/app/policies/project_label_policy.rb +++ b/app/policies/project_label_policy.rb @@ -1,5 +1,5 @@ # frozen_string_literal: true class ProjectLabelPolicy < BasePolicy - delegate { @subject.project } + delegate { @subject.parent_container } end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index fb162d03955..77bdf9d62fc 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -222,7 +222,7 @@ class ProjectPolicy < BasePolicy end condition(:project_runner_registration_allowed) do - Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('project') + Gitlab::CurrentSettings.valid_runner_registrars.include?('project') end condition :registry_enabled do @@ -399,7 +399,7 @@ class ProjectPolicy < BasePolicy prevent(:admin_feature_flags_client) end - rule { split_operations_visibility_permissions & releases_disabled }.policy do + rule { releases_disabled }.policy do prevent(*create_read_update_admin_destroy(:release)) end @@ -574,6 +574,7 @@ class ProjectPolicy < BasePolicy rule { issues_disabled & merge_requests_disabled }.policy do prevent(*create_read_update_admin_destroy(:label)) prevent(*create_read_update_admin_destroy(:milestone)) + prevent(:read_cycle_analytics) end rule { snippets_disabled }.policy do @@ -793,7 +794,7 @@ class ProjectPolicy < BasePolicy rule { project_bot }.enable :project_bot_access - rule { can?(:read_all_resources) }.enable :read_resource_access_tokens + rule { can?(:read_all_resources) & resource_access_token_feature_available }.enable :read_resource_access_tokens rule { can?(:admin_project) & resource_access_token_feature_available }.policy do enable :read_resource_access_tokens diff --git a/app/policies/todo_policy.rb b/app/policies/todo_policy.rb index 5c24964f24a..d63eb9407f8 100644 --- a/app/policies/todo_policy.rb +++ b/app/policies/todo_policy.rb @@ -16,7 +16,7 @@ class TodoPolicy < BasePolicy desc "User can read the todo's confidential note" condition(:can_read_todo_confidential_note) do - @user && @user.can?(:read_confidential_notes, @subject.target) + @user && @user.can?(:read_internal_note, @subject.target) end rule { own_todo & can_read_target }.enable :read_todo |