Add latest changes from gitlab-org/gitlab@13-6-stable-eev13.6.0-rc42

15 files changed, 88 insertions, 4 deletions

diff --git a/app/policies/alert_management/http_integration_policy.rb b/app/policies/alert_management/http_integration_policy.rb
new file mode 100644
index 00000000000..77c936b9e0b
--- /dev/null
+++ b/app/policies/alert_management/http_integration_policy.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module AlertManagement
+  class HttpIntegrationPolicy < ::BasePolicy
+    delegate { @subject.project }
+  end
+end
diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb
index 1c93073025d..580a348b408 100644
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -57,6 +57,8 @@ class BasePolicy < DeclarativePolicy::Base
   rule { default }.enable :read_cross_project
 
   condition(:is_gitlab_com) { ::Gitlab.dev_env_or_com? }
+
+  rule { admin }.enable :change_repository_storage
 end
 
 BasePolicy.prepend_if_ee('EE::BasePolicy')
diff --git a/app/policies/concerns/policy_actor.rb b/app/policies/concerns/policy_actor.rb
index 3073a2e5d10..7eca6f4c6c8 100644
--- a/app/policies/concerns/policy_actor.rb
+++ b/app/policies/concerns/policy_actor.rb
@@ -72,6 +72,10 @@ module PolicyActor
   def try_obtain_ldap_lease
     nil
   end
+
+  def can_read_all_resources?
+    false
+  end
 end
 
 PolicyActor.prepend_if_ee('EE::PolicyActor')
diff --git a/app/policies/container_registry/tag_policy.rb b/app/policies/container_registry/tag_policy.rb
new file mode 100644
index 00000000000..8c75f2a6f20
--- /dev/null
+++ b/app/policies/container_registry/tag_policy.rb
@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+module ContainerRegistry
+  class TagPolicy < BasePolicy
+    delegate { @subject.repository }
+  end
+end
diff --git a/app/policies/custom_emoji_policy.rb b/app/policies/custom_emoji_policy.rb
new file mode 100644
index 00000000000..ba73b9a3782
--- /dev/null
+++ b/app/policies/custom_emoji_policy.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class CustomEmojiPolicy < BasePolicy
+  delegate { @subject.group }
+end
diff --git a/app/policies/group_member_policy.rb b/app/policies/group_member_policy.rb
index f6e52def270..78a2be7a9f8 100644
--- a/app/policies/group_member_policy.rb
+++ b/app/policies/group_member_policy.rb
@@ -11,7 +11,10 @@ class GroupMemberPolicy < BasePolicy
   condition(:is_target_user) { @user && @subject.user_id == @user.id }
 
   rule { anonymous }.prevent_all
-  rule { last_owner }.prevent_all
+  rule { last_owner }.policy do
+    prevent :update_group_member
+    prevent :destroy_group_member
+  end
 
   rule { can?(:admin_group_member) }.policy do
     enable :update_group_member
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index f9ec026a6d2..231843c5f23 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -46,6 +46,10 @@ class GroupPolicy < BasePolicy
     group_projects_for(user: @user, group: @subject, only_owned: false).any? { |p| p.design_management_enabled? }
   end
 
+  condition(:dependency_proxy_available) do
+    @subject.dependency_proxy_feature_available?
+  end
+
   desc "Deploy token with read_package_registry scope"
   condition(:read_package_registry_deploy_token) do
     @user.is_a?(DeployToken) && @user.groups.include?(@subject) && @user.read_package_registry
@@ -59,6 +63,9 @@ class GroupPolicy < BasePolicy
   with_scope :subject
   condition(:resource_access_token_available) { resource_access_token_available? }
 
+  with_scope :subject
+  condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? }
+
   rule { design_management_enabled }.policy do
     enable :read_design_activity
   end
@@ -94,6 +101,7 @@ class GroupPolicy < BasePolicy
     enable :read_label
     enable :read_board
     enable :read_group_member
+    enable :read_custom_emoji
   end
 
   rule { ~can?(:read_group) }.policy do
@@ -107,6 +115,7 @@ class GroupPolicy < BasePolicy
     enable :create_metrics_dashboard_annotation
     enable :delete_metrics_dashboard_annotation
     enable :update_metrics_dashboard_annotation
+    enable :create_custom_emoji
   end
 
   rule { reporter }.policy do
@@ -187,13 +196,24 @@ class GroupPolicy < BasePolicy
 
   rule { write_package_registry_deploy_token }.policy do
     enable :create_package
+    enable :read_package
     enable :read_group
   end
 
+  rule { can?(:read_group) & dependency_proxy_available }
+    .enable :read_dependency_proxy
+
+  rule { developer & dependency_proxy_available }
+    .enable :admin_dependency_proxy
+
   rule { resource_access_token_available & can?(:admin_group) }.policy do
     enable :admin_resource_access_tokens
   end
 
+  rule { support_bot & has_project_with_service_desk_enabled }.policy do
+    enable :read_label
+  end
+
   def access_level
     return GroupMember::NO_ACCESS if @user.nil?
     return GroupMember::NO_ACCESS unless user_is_user?
diff --git a/app/policies/instance_metadata_policy.rb b/app/policies/instance_metadata_policy.rb
new file mode 100644
index 00000000000..3386217044d
--- /dev/null
+++ b/app/policies/instance_metadata_policy.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class InstanceMetadataPolicy < BasePolicy
+  delegate { :global }
+end
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index 44c448eb601..183f4d8f919 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -35,6 +35,10 @@ class IssuePolicy < IssuablePolicy
   rule { ~can?(:read_design) }.policy do
     prevent :move_design
   end
+
+  rule { ~anonymous & can?(:read_issue) }.policy do
+    enable :create_todo
+  end
 end
 
 IssuePolicy.prepend_if_ee('EE::IssuePolicy')
diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb
index e5ac228b0ee..d5ba42d750c 100644
--- a/app/policies/merge_request_policy.rb
+++ b/app/policies/merge_request_policy.rb
@@ -14,6 +14,10 @@ class MergeRequestPolicy < IssuablePolicy
   rule { can?(:update_merge_request) }.policy do
     enable :approve_merge_request
   end
+
+  rule { ~anonymous & can?(:read_merge_request) }.policy do
+    enable :create_todo
+  end
 end
 
 MergeRequestPolicy.prepend_if_ee('EE::MergeRequestPolicy')
diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb
index 2217aa1326c..2bf6b6c3161 100644
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -7,13 +7,15 @@ class NotePolicy < BasePolicy
   delegate { @subject.noteable if DeclarativePolicy.has_policy?(@subject.noteable) }
 
   condition(:is_author) { @user && @subject.author == @user }
-  condition(:is_noteable_author) { @user && @subject.noteable.author_id == @user.id }
+  condition(:is_noteable_author) { @user && @subject.noteable.try(:author_id) == @user.id }
 
   condition(:editable, scope: :subject) { @subject.editable? }
 
   condition(:can_read_noteable) { can?(:"read_#{@subject.noteable_ability_name}") }
   condition(:commit_is_deleted) { @subject.for_commit? && @subject.noteable.blank? }
 
+  condition(:for_design) { @subject.for_design? }
+
   condition(:is_visible) { @subject.system_note_with_references_visible_for?(@user) }
 
   condition(:confidential, scope: :subject) { @subject.confidential? }
@@ -28,6 +30,7 @@ class NotePolicy < BasePolicy
   rule { ~can_read_noteable }.policy do
     prevent :admin_note
     prevent :resolve_note
+    prevent :reposition_note
     prevent :award_emoji
   end
 
@@ -46,6 +49,7 @@ class NotePolicy < BasePolicy
     prevent :read_note
     prevent :admin_note
     prevent :resolve_note
+    prevent :reposition_note
     prevent :award_emoji
   end
 
@@ -57,9 +61,14 @@ class NotePolicy < BasePolicy
     prevent :read_note
     prevent :admin_note
     prevent :resolve_note
+    prevent :reposition_note
     prevent :award_emoji
   end
 
+  rule { can?(:admin_note) | (for_design & can?(:create_note)) }.policy do
+    enable :reposition_note
+  end
+
   def parent_namespace
     strong_memoize(:parent_namespace) do
       next if @subject.is_a?(PersonalSnippet)
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 59e2d617bf7..13073ed68a1 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -546,8 +546,6 @@ class ProjectPolicy < BasePolicy
     prevent :create_pipeline
   end
 
-  rule { admin }.enable :change_repository_storage
-
   rule { can?(:read_issue) }.policy do
     enable :read_design
     enable :read_design_activity
@@ -570,6 +568,7 @@ class ProjectPolicy < BasePolicy
 
   rule { write_package_registry_deploy_token }.policy do
     enable :create_package
+    enable :read_package
     enable :read_project
   end
 
diff --git a/app/policies/service_policy.rb b/app/policies/service_policy.rb
new file mode 100644
index 00000000000..61aff444620
--- /dev/null
+++ b/app/policies/service_policy.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class ServicePolicy < BasePolicy
+  delegate(:project)
+end
diff --git a/app/policies/terraform/state_version_policy.rb b/app/policies/terraform/state_version_policy.rb
new file mode 100644
index 00000000000..ad0b2f6d594
--- /dev/null
+++ b/app/policies/terraform/state_version_policy.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Terraform
+  class StateVersionPolicy < BasePolicy
+    alias_method :terraform_state_version, :subject
+
+    delegate { terraform_state_version.terraform_state }
+  end
+end
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
index c9dfa98b285..70e8fb32064 100644
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -21,11 +21,13 @@ class UserPolicy < BasePolicy
     enable :update_user
     enable :update_user_status
     enable :read_user_personal_access_tokens
+    enable :read_group_count
   end
 
   rule { default }.enable :read_user_profile
   rule { (private_profile | blocked_user) & ~(user_is_self | admin) }.prevent :read_user_profile
   rule { user_is_self | admin }.enable :disable_two_factor
+  rule { (user_is_self | admin) & ~blocked }.enable :create_user_personal_access_token
 end
 
 UserPolicy.prepend_if_ee('EE::UserPolicy')