Add latest changes from gitlab-org/gitlab@13-1-stable-ee

6 files changed, 77 insertions, 18 deletions

diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index 12892a69257..0879a740f8a 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -36,6 +36,10 @@ module Ci
       @subject.has_terminal?
     end
 
+    condition(:is_web_ide_terminal, scope: :subject) do
+      @subject.pipeline.webide?
+    end
+
     rule { protected_ref | archived }.policy do
       prevent :update_build
       prevent :update_commit_status
@@ -50,6 +54,24 @@ module Ci
     end
 
     rule { can?(:update_build) & terminal }.enable :create_build_terminal
+
+    rule { is_web_ide_terminal & can?(:create_web_ide_terminal) & (admin | owner_of_job) }.policy do
+      enable :read_web_ide_terminal
+      enable :update_web_ide_terminal
+    end
+
+    rule { is_web_ide_terminal & ~can?(:update_web_ide_terminal) }.policy do
+      prevent :create_build_terminal
+    end
+
+    rule { can?(:update_web_ide_terminal) & terminal }.policy do
+      enable :create_build_terminal
+      enable :create_build_service_proxy
+    end
+
+    rule { ~can?(:build_service_proxy_enabled) }.policy do
+      prevent :create_build_service_proxy
+    end
   end
 end
 
diff --git a/app/policies/container_expiration_policy_policy.rb b/app/policies/container_expiration_policy_policy.rb
new file mode 100644
index 00000000000..709435f47d3
--- /dev/null
+++ b/app/policies/container_expiration_policy_policy.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class ContainerExpirationPolicyPolicy < BasePolicy
+  delegate { @subject.project }
+end
diff --git a/app/policies/draft_note_policy.rb b/app/policies/draft_note_policy.rb
new file mode 100644
index 00000000000..be99d12c5f8
--- /dev/null
+++ b/app/policies/draft_note_policy.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+class DraftNotePolicy < BasePolicy
+  delegate { @subject.merge_request }
+
+  condition(:is_author) { @user && @subject.author == @user }
+
+  rule { is_author }.policy do
+    enable :read_note
+    enable :admin_note
+    enable :resolve_note
+  end
+end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 8df4fc5e88c..f87c72007ec 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -147,6 +147,10 @@ class ProjectPolicy < BasePolicy
     @user && @user.confirmed?
   end
 
+  condition(:build_service_proxy_enabled) do
+    ::Feature.enabled?(:build_service_proxy, @subject)
+  end
+
   features = %w[
     merge_requests
     issues
@@ -278,7 +282,6 @@ class ProjectPolicy < BasePolicy
 
   rule { can?(:metrics_dashboard) }.policy do
     enable :read_prometheus
-    enable :read_environment
     enable :read_deployment
   end
 
@@ -429,27 +432,11 @@ class ProjectPolicy < BasePolicy
   rule { builds_disabled | repository_disabled }.policy do
     prevent(*create_read_update_admin_destroy(:build))
     prevent(*create_read_update_admin_destroy(:pipeline_schedule))
+    prevent(*create_read_update_admin_destroy(:environment))
     prevent(*create_read_update_admin_destroy(:cluster))
     prevent(*create_read_update_admin_destroy(:deployment))
   end
 
-  # Enabling `read_environment` specifically for the condition of `metrics_dashboard_allowed` is
-  # necessary due to the route for metrics dashboard requiring an environment id.
-  # This will be addressed in https://gitlab.com/gitlab-org/gitlab/-/issues/213833 when
-  # environments and metrics are decoupled and these rules will be removed.
-
-  rule { (builds_disabled | repository_disabled) & ~metrics_dashboard_allowed}.policy do
-    prevent(*create_read_update_admin_destroy(:environment))
-  end
-
-  rule { (builds_disabled | repository_disabled) & metrics_dashboard_allowed}.policy do
-    prevent :create_environment
-    prevent :update_environment
-    prevent :admin_environment
-    prevent :destroy_environment
-    enable :read_environment
-  end
-
   # There's two separate cases when builds_disabled is true:
   # 1. When internal CI is disabled - builds_disabled && internal_builds_disabled
   #   - We do not prevent the user from accessing Pipelines to allow them to access external CI
@@ -577,6 +564,18 @@ class ProjectPolicy < BasePolicy
     enable :read_project
   end
 
+  rule { can?(:create_pipeline) & can?(:maintainer_access) }.enable :create_web_ide_terminal
+
+  rule { build_service_proxy_enabled }.enable :build_service_proxy_enabled
+
+  rule { can?(:download_code) }.policy do
+    enable :read_repository_graphs
+  end
+
+  rule { can?(:read_build) & can?(:read_pipeline) }.policy do
+    enable :read_build_report_results
+  end
+
   private
 
   def team_member?
diff --git a/app/policies/releases/link_policy.rb b/app/policies/releases/link_policy.rb
new file mode 100644
index 00000000000..4a662fafb2f
--- /dev/null
+++ b/app/policies/releases/link_policy.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Releases
+  class LinkPolicy < BasePolicy
+    delegate { @subject.release.project }
+  end
+end
diff --git a/app/policies/releases/source_policy.rb b/app/policies/releases/source_policy.rb
new file mode 100644
index 00000000000..8b86b925589
--- /dev/null
+++ b/app/policies/releases/source_policy.rb
@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Releases
+  class SourcePolicy < BasePolicy
+    delegate { @subject.project }
+
+    rule { can?(:public_access) | can?(:reporter_access) }.policy do
+      enable :read_release_sources
+    end
+
+    rule { ~can?(:read_release) }.prevent :read_release_sources
+  end
+end