Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-04-13 18:09:20 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-04-13 18:09:20 +0300
commit: b77fb04678a4e76d025048e9846adc2ac709414a (patch)
tree: c65f719e326e1d33d313b5e9d8b3f72366ad7bd2 /app/policies
parent: 75ee59f7a108cf0c57e1e66e3ef5e439bae24fcd (diff)
4 files changed, 39 insertions, 5 deletions
diff --git a/app/policies/project_policy/class_methods.rb b/app/policies/concerns/crud_policy_helpers.rb
index 42d993406a9..d8521ca22cc 100644
--- a/app/policies/project_policy/class_methods.rb
+++ b/app/policies/concerns/crud_policy_helpers.rb
@@ -1,7 +1,9 @@
 # frozen_string_literal: true
 
-class ProjectPolicy
-  module ClassMethods
+module CrudPolicyHelpers
+  extend ActiveSupport::Concern
+
+  class_methods do
     def create_read_update_admin_destroy(name)
       [
         :"read_#{name}",
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 5e252c8e564..a34217d90dd 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 class GroupPolicy < BasePolicy
+  include CrudPolicyHelpers
   include FindGroupProjects
 
   desc "Group is public"
@@ -42,15 +43,23 @@ class GroupPolicy < BasePolicy
     @subject.subgroup_creation_level == ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS
   end
 
+  desc "Group has wiki disabled"
+  condition(:wiki_disabled, score: 32) { !feature_available?(:wiki) }
+
   rule { public_group }.policy do
     enable :read_group
     enable :read_package
+    enable :read_wiki
   end
 
-  rule { logged_in_viewable }.enable :read_group
+  rule { logged_in_viewable }.policy do
+    enable :read_group
+    enable :read_wiki
+  end
 
   rule { guest }.policy do
     enable :read_group
+    enable :read_wiki
     enable :upload_file
   end
 
@@ -78,10 +87,12 @@ class GroupPolicy < BasePolicy
     enable :create_metrics_dashboard_annotation
     enable :delete_metrics_dashboard_annotation
     enable :update_metrics_dashboard_annotation
+    enable :create_wiki
   end
 
   rule { reporter }.policy do
     enable :read_container_image
+    enable :download_wiki_code
     enable :admin_label
     enable :admin_list
     enable :admin_issue
@@ -100,6 +111,7 @@ class GroupPolicy < BasePolicy
     enable :destroy_deploy_token
     enable :read_deploy_token
     enable :create_deploy_token
+    enable :admin_wiki
   end
 
   rule { owner }.policy do
@@ -145,6 +157,11 @@ class GroupPolicy < BasePolicy
 
   rule { maintainer & can?(:create_projects) }.enable :transfer_projects
 
+  rule { wiki_disabled }.policy do
+    prevent(*create_read_update_admin_destroy(:wiki))
+    prevent(:download_wiki_code)
+  end
+
   def access_level
     return GroupMember::NO_ACCESS if @user.nil?
 
@@ -154,6 +171,21 @@ class GroupPolicy < BasePolicy
   def lookup_access_level!
     @subject.max_member_access_for_user(@user)
   end
+
+  # TODO: Extract this into a helper shared with ProjectPolicy, once we implement group-level features.
+  # https://gitlab.com/gitlab-org/gitlab/-/issues/208412
+  def feature_available?(feature)
+    return false unless feature == :wiki
+
+    case @subject.wiki_access_level
+    when ProjectFeature::DISABLED
+      false
+    when ProjectFeature::PRIVATE
+      admin? || access_level >= ProjectFeature.required_minimum_access_level(feature)
+    else
+      true
+    end
+  end
 end
 
 GroupPolicy.prepend_if_ee('EE::GroupPolicy')
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index f86892227df..20df823c737 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -5,7 +5,7 @@ class IssuePolicy < IssuablePolicy
   # Make sure to sync this class checks with issue.rb to avoid security problems.
   # Check commit 002ad215818450d2cbbc5fa065850a953dc7ada8 for more information.
 
-  extend ProjectPolicy::ClassMethods
+  include CrudPolicyHelpers
 
   desc "User can read confidential issues"
   condition(:can_read_confidential) do
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 0f5e4ac378e..7454343a357 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 class ProjectPolicy < BasePolicy
-  extend ClassMethods
+  include CrudPolicyHelpers
 
   READONLY_FEATURES_WHEN_ARCHIVED = %i[
     issue
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-04-13 18:09:20 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-04-13 18:09:20 +0300
commit	b77fb04678a4e76d025048e9846adc2ac709414a (patch)
tree	c65f719e326e1d33d313b5e9d8b3f72366ad7bd2 /app/policies
parent	75ee59f7a108cf0c57e1e66e3ef5e439bae24fcd (diff)