diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-20 18:19:03 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-03-20 18:19:03 +0300 |
commit | 14bd84b61276ef29b97d23642d698de769bacfd2 (patch) | |
tree | f9eba90140c1bd874211dea17750a0d422c04080 /app/policies | |
parent | 891c388697b2db0d8ee0c8358a9bdbf6dc56d581 (diff) |
Add latest changes from gitlab-org/gitlab@15-10-stable-eev15.10.0-rc42
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/achievements/user_achievement_policy.rb | 7 | ||||
-rw-r--r-- | app/policies/ci/pipeline_schedule_policy.rb | 4 | ||||
-rw-r--r-- | app/policies/ci/runner_machine_policy.rb | 18 | ||||
-rw-r--r-- | app/policies/clusters/instance_policy.rb | 1 | ||||
-rw-r--r-- | app/policies/concerns/archived_abilities.rb | 1 | ||||
-rw-r--r-- | app/policies/global_policy.rb | 6 | ||||
-rw-r--r-- | app/policies/group_policy.rb | 29 | ||||
-rw-r--r-- | app/policies/issue_policy.rb | 1 | ||||
-rw-r--r-- | app/policies/project_hook_policy.rb | 3 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 26 |
10 files changed, 78 insertions, 18 deletions
diff --git a/app/policies/achievements/user_achievement_policy.rb b/app/policies/achievements/user_achievement_policy.rb new file mode 100644 index 00000000000..b500d0a25c8 --- /dev/null +++ b/app/policies/achievements/user_achievement_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +module Achievements + class UserAchievementPolicy < ::BasePolicy + delegate { @subject.achievement.namespace } + end +end diff --git a/app/policies/ci/pipeline_schedule_policy.rb b/app/policies/ci/pipeline_schedule_policy.rb index 3a674bfef92..7b0d484f9f7 100644 --- a/app/policies/ci/pipeline_schedule_policy.rb +++ b/app/policies/ci/pipeline_schedule_policy.rb @@ -23,6 +23,10 @@ module Ci enable :update_pipeline_schedule end + # `take_ownership_pipeline_schedule` is deprecated, and should not be used. It can be removed in 17.0 + # once the deprecated field `take_ownership_pipeline_schedule` is removed from the GraphQL type + # `PermissionTypes::Ci::PipelineSchedules`. + # Use `admin_pipeline_schedule` to decide if a user has the ability to take ownership of a pipeline schedule. rule { can?(:admin_pipeline_schedule) & ~owner_of_schedule }.policy do enable :take_ownership_pipeline_schedule end diff --git a/app/policies/ci/runner_machine_policy.rb b/app/policies/ci/runner_machine_policy.rb new file mode 100644 index 00000000000..9893d7dee14 --- /dev/null +++ b/app/policies/ci/runner_machine_policy.rb @@ -0,0 +1,18 @@ +# frozen_string_literal: true + +module Ci + class RunnerMachinePolicy < BasePolicy + with_options scope: :subject, score: 0 + + condition(:can_read_runner, scope: :subject) do + can?(:read_runner, @subject.runner) + end + + rule { anonymous }.prevent_all + + rule { can_read_runner }.policy do + enable :read_builds + enable :read_runner_machine + end + end +end diff --git a/app/policies/clusters/instance_policy.rb b/app/policies/clusters/instance_policy.rb index 3c5ca4bf4e1..2781e943bae 100644 --- a/app/policies/clusters/instance_policy.rb +++ b/app/policies/clusters/instance_policy.rb @@ -9,6 +9,7 @@ module Clusters enable :update_cluster enable :admin_cluster enable :read_prometheus + enable :use_k8s_proxies end end end diff --git a/app/policies/concerns/archived_abilities.rb b/app/policies/concerns/archived_abilities.rb index b4dfad599c7..7d61f83528e 100644 --- a/app/policies/concerns/archived_abilities.rb +++ b/app/policies/concerns/archived_abilities.rb @@ -37,6 +37,7 @@ module ArchivedAbilities pages cluster release + timelog ].freeze class_methods do diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index d028738ccc9..b64e7e16433 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -23,9 +23,11 @@ class GlobalPolicy < BasePolicy condition(:migration_bot, scope: :user) { @user&.migration_bot? } condition(:create_runner_workflow_enabled) do - Feature.enabled?(:create_runner_workflow) + Feature.enabled?(:create_runner_workflow_for_admin, @user) end + condition(:service_account, scope: :user) { @user&.service_account? } + rule { anonymous }.policy do prevent :log_in prevent :receive_notifications @@ -64,7 +66,7 @@ class GlobalPolicy < BasePolicy prevent :access_git end - rule { project_bot }.policy do + rule { project_bot | service_account }.policy do prevent :log_in prevent :receive_notifications end diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 6cc65248914..ee1140b8405 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -85,7 +85,11 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy condition(:crm_enabled, score: 0, scope: :subject) { @subject.crm_enabled? } condition(:create_runner_workflow_enabled) do - Feature.enabled?(:create_runner_workflow) + Feature.enabled?(:create_runner_workflow_for_namespace, group) + end + + condition(:achievements_enabled, scope: :subject) do + Feature.enabled?(:achievements, @subject) end condition(:group_runner_registration_allowed, scope: :subject) do @@ -131,9 +135,17 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_group_member enable :read_custom_emoji enable :read_counts + end + + rule { can?(:read_group) & achievements_enabled }.policy do enable :read_achievement end + rule { can?(:maintainer_access) & achievements_enabled }.policy do + enable :admin_achievement + enable :award_achievement + end + rule { ~public_group & ~has_access }.prevent :read_counts rule { ~can_read_group_member }.policy do @@ -147,17 +159,15 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy rule { has_access }.enable :read_namespace rule { developer }.policy do - enable :create_metrics_dashboard_annotation - enable :delete_metrics_dashboard_annotation - enable :update_metrics_dashboard_annotation + enable :admin_metrics_dashboard_annotation enable :create_custom_emoji enable :create_package enable :developer_access enable :admin_crm_organization enable :admin_crm_contact enable :read_cluster - enable :read_group_all_available_runners + enable :use_k8s_proxies end rule { reporter }.policy do @@ -191,7 +201,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :maintainer_access enable :read_upload enable :destroy_upload - enable :admin_achievement end rule { owner }.policy do @@ -246,7 +255,9 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy rule { ~can?(:view_globally) }.prevent :request_access rule { has_access }.prevent :request_access - rule { owner & (~share_with_group_locked | ~has_parent | ~parent_share_with_group_locked | can_change_parent_share_with_group_lock) }.enable :change_share_with_group_lock + rule do + owner & (~share_with_group_locked | ~has_parent | ~parent_share_with_group_locked | can_change_parent_share_with_group_lock) + end.enable :change_share_with_group_lock rule { developer & developer_maintainer_access }.enable :create_projects rule { create_projects_disabled }.prevent :create_projects @@ -325,6 +336,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_observability end + rule { can?(:maintainer_access) & observability_enabled }.policy do + enable :admin_observability + end + rule { ~create_runner_workflow_enabled }.policy do prevent :create_group_runners end diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb index d1e35793c64..804709ed072 100644 --- a/app/policies/issue_policy.rb +++ b/app/policies/issue_policy.rb @@ -59,6 +59,7 @@ class IssuePolicy < IssuablePolicy rule { ~can?(:read_issue) }.policy do prevent :read_design prevent :create_design + prevent :update_design prevent :destroy_design end diff --git a/app/policies/project_hook_policy.rb b/app/policies/project_hook_policy.rb index c177fabb1ba..b4590c13670 100644 --- a/app/policies/project_hook_policy.rb +++ b/app/policies/project_hook_policy.rb @@ -1,10 +1,9 @@ # frozen_string_literal: true class ProjectHookPolicy < ::BasePolicy - delegate(:project) + delegate { @subject.project } rule { can?(:admin_project) }.policy do - enable :read_web_hook enable :destroy_web_hook end end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 875520d24be..a955de77309 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -234,8 +234,12 @@ class ProjectPolicy < BasePolicy Gitlab.config.packages.enabled end + condition :terraform_state_disabled do + !Gitlab.config.terraform_state.enabled + end + condition(:create_runner_workflow_enabled) do - Feature.enabled?(:create_runner_workflow) + Feature.enabled?(:create_runner_workflow_for_namespace, project.namespace) end # `:read_project` may be prevented in EE, but `:read_project_for_iids` should @@ -257,6 +261,7 @@ class ProjectPolicy < BasePolicy enable :reporter_access enable :developer_access enable :maintainer_access + enable :add_catalog_resource enable :change_namespace enable :change_visibility_level @@ -353,6 +358,7 @@ class ProjectPolicy < BasePolicy enable :read_ci_cd_analytics enable :read_external_emails enable :read_grafana + enable :export_work_items end # We define `:public_user_access` separately because there are cases in gitlab-ee @@ -404,11 +410,15 @@ class ProjectPolicy < BasePolicy end rule { infrastructure_disabled }.policy do - prevent(*create_read_update_admin_destroy(:terraform_state)) prevent(*create_read_update_admin_destroy(:cluster)) prevent(:read_pod_logs) prevent(:read_prometheus) prevent(:admin_project_google_cloud) + prevent(:admin_project_aws) + end + + rule { infrastructure_disabled | terraform_state_disabled }.policy do + prevent(*create_read_update_admin_destroy(:terraform_state)) end rule { can?(:metrics_dashboard) }.policy do @@ -429,6 +439,7 @@ class ProjectPolicy < BasePolicy rule { ~request_access_enabled }.prevent :request_access rule { can?(:developer_access) & can?(:create_issue) }.enable :import_issues + rule { can?(:reporter_access) & can?(:create_work_item) }.enable :import_work_items rule { can?(:developer_access) }.policy do enable :create_package @@ -455,15 +466,15 @@ class ProjectPolicy < BasePolicy enable :create_deployment enable :update_deployment enable :read_cluster + enable :use_k8s_proxies enable :create_release enable :update_release enable :destroy_release - enable :create_metrics_dashboard_annotation - enable :delete_metrics_dashboard_annotation - enable :update_metrics_dashboard_annotation + enable :admin_metrics_dashboard_annotation enable :read_alert_management_alert enable :update_alert_management_alert enable :create_design + enable :update_design enable :move_design enable :destroy_design enable :read_terraform_state @@ -477,7 +488,6 @@ class ProjectPolicy < BasePolicy enable :update_escalation_status enable :read_secure_files enable :update_sentry_issue - enable :read_airflow_dags end rule { can?(:developer_access) & user_confirmed? }.policy do @@ -531,8 +541,8 @@ class ProjectPolicy < BasePolicy enable :create_project_runners enable :update_runners_registration_token enable :admin_project_google_cloud + enable :admin_project_aws enable :admin_secure_files - enable :read_web_hooks enable :read_upload enable :destroy_upload enable :admin_incident_management_timeline_event_tag @@ -752,6 +762,7 @@ class ProjectPolicy < BasePolicy prevent :read_design prevent :read_design_activity prevent :create_design + prevent :update_design prevent :destroy_design prevent :move_design end @@ -780,6 +791,7 @@ class ProjectPolicy < BasePolicy rule { write_package_registry_deploy_token }.policy do enable :create_package enable :read_package + enable :destroy_package enable :read_project end |