Add latest changes from gitlab-org/gitlab@15-10-stable-eev15.10.0-rc42

10 files changed, 78 insertions, 18 deletions

diff --git a/app/policies/achievements/user_achievement_policy.rb b/app/policies/achievements/user_achievement_policy.rb
new file mode 100644
index 00000000000..b500d0a25c8
--- /dev/null
+++ b/app/policies/achievements/user_achievement_policy.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Achievements
+  class UserAchievementPolicy < ::BasePolicy
+    delegate { @subject.achievement.namespace }
+  end
+end
diff --git a/app/policies/ci/pipeline_schedule_policy.rb b/app/policies/ci/pipeline_schedule_policy.rb
index 3a674bfef92..7b0d484f9f7 100644
--- a/app/policies/ci/pipeline_schedule_policy.rb
+++ b/app/policies/ci/pipeline_schedule_policy.rb
@@ -23,6 +23,10 @@ module Ci
       enable :update_pipeline_schedule
     end
 
+    # `take_ownership_pipeline_schedule` is deprecated, and should not be used. It can be removed in 17.0
+    # once the deprecated field `take_ownership_pipeline_schedule` is removed from the GraphQL type
+    # `PermissionTypes::Ci::PipelineSchedules`.
+    # Use `admin_pipeline_schedule` to decide if a user has the ability to take ownership of a pipeline schedule.
     rule { can?(:admin_pipeline_schedule) & ~owner_of_schedule }.policy do
       enable :take_ownership_pipeline_schedule
     end
diff --git a/app/policies/ci/runner_machine_policy.rb b/app/policies/ci/runner_machine_policy.rb
new file mode 100644
index 00000000000..9893d7dee14
--- /dev/null
+++ b/app/policies/ci/runner_machine_policy.rb
@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Ci
+  class RunnerMachinePolicy < BasePolicy
+    with_options scope: :subject, score: 0
+
+    condition(:can_read_runner, scope: :subject) do
+      can?(:read_runner, @subject.runner)
+    end
+
+    rule { anonymous }.prevent_all
+
+    rule { can_read_runner }.policy do
+      enable :read_builds
+      enable :read_runner_machine
+    end
+  end
+end
diff --git a/app/policies/clusters/instance_policy.rb b/app/policies/clusters/instance_policy.rb
index 3c5ca4bf4e1..2781e943bae 100644
--- a/app/policies/clusters/instance_policy.rb
+++ b/app/policies/clusters/instance_policy.rb
@@ -9,6 +9,7 @@ module Clusters
       enable :update_cluster
       enable :admin_cluster
       enable :read_prometheus
+      enable :use_k8s_proxies
     end
   end
 end
diff --git a/app/policies/concerns/archived_abilities.rb b/app/policies/concerns/archived_abilities.rb
index b4dfad599c7..7d61f83528e 100644
--- a/app/policies/concerns/archived_abilities.rb
+++ b/app/policies/concerns/archived_abilities.rb
@@ -37,6 +37,7 @@ module ArchivedAbilities
     pages
     cluster
     release
+    timelog
   ].freeze
 
   class_methods do
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index d028738ccc9..b64e7e16433 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -23,9 +23,11 @@ class GlobalPolicy < BasePolicy
   condition(:migration_bot, scope: :user) { @user&.migration_bot? }
 
   condition(:create_runner_workflow_enabled) do
-    Feature.enabled?(:create_runner_workflow)
+    Feature.enabled?(:create_runner_workflow_for_admin, @user)
   end
 
+  condition(:service_account, scope: :user) { @user&.service_account? }
+
   rule { anonymous }.policy do
     prevent :log_in
     prevent :receive_notifications
@@ -64,7 +66,7 @@ class GlobalPolicy < BasePolicy
     prevent :access_git
   end
 
-  rule { project_bot }.policy do
+  rule { project_bot | service_account }.policy do
     prevent :log_in
     prevent :receive_notifications
   end
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 6cc65248914..ee1140b8405 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -85,7 +85,11 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   condition(:crm_enabled, score: 0, scope: :subject) { @subject.crm_enabled? }
 
   condition(:create_runner_workflow_enabled) do
-    Feature.enabled?(:create_runner_workflow)
+    Feature.enabled?(:create_runner_workflow_for_namespace, group)
+  end
+
+  condition(:achievements_enabled, scope: :subject) do
+    Feature.enabled?(:achievements, @subject)
   end
 
   condition(:group_runner_registration_allowed, scope: :subject) do
@@ -131,9 +135,17 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     enable :read_group_member
     enable :read_custom_emoji
     enable :read_counts
+  end
+
+  rule { can?(:read_group) & achievements_enabled }.policy do
     enable :read_achievement
   end
 
+  rule { can?(:maintainer_access) & achievements_enabled }.policy do
+    enable :admin_achievement
+    enable :award_achievement
+  end
+
   rule { ~public_group & ~has_access }.prevent :read_counts
 
   rule { ~can_read_group_member }.policy do
@@ -147,17 +159,15 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   rule { has_access }.enable :read_namespace
 
   rule { developer }.policy do
-    enable :create_metrics_dashboard_annotation
-    enable :delete_metrics_dashboard_annotation
-    enable :update_metrics_dashboard_annotation
+    enable :admin_metrics_dashboard_annotation
     enable :create_custom_emoji
     enable :create_package
     enable :developer_access
     enable :admin_crm_organization
     enable :admin_crm_contact
     enable :read_cluster
-
     enable :read_group_all_available_runners
+    enable :use_k8s_proxies
   end
 
   rule { reporter }.policy do
@@ -191,7 +201,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     enable :maintainer_access
     enable :read_upload
     enable :destroy_upload
-    enable :admin_achievement
   end
 
   rule { owner }.policy do
@@ -246,7 +255,9 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   rule { ~can?(:view_globally) }.prevent   :request_access
   rule { has_access }.prevent              :request_access
 
-  rule { owner & (~share_with_group_locked | ~has_parent | ~parent_share_with_group_locked | can_change_parent_share_with_group_lock) }.enable :change_share_with_group_lock
+  rule do
+    owner & (~share_with_group_locked | ~has_parent | ~parent_share_with_group_locked | can_change_parent_share_with_group_lock)
+  end.enable :change_share_with_group_lock
 
   rule { developer & developer_maintainer_access }.enable :create_projects
   rule { create_projects_disabled }.prevent :create_projects
@@ -325,6 +336,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     enable :read_observability
   end
 
+  rule { can?(:maintainer_access) & observability_enabled }.policy do
+    enable :admin_observability
+  end
+
   rule { ~create_runner_workflow_enabled }.policy do
     prevent :create_group_runners
   end
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index d1e35793c64..804709ed072 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -59,6 +59,7 @@ class IssuePolicy < IssuablePolicy
   rule { ~can?(:read_issue) }.policy do
     prevent :read_design
     prevent :create_design
+    prevent :update_design
     prevent :destroy_design
   end
 
diff --git a/app/policies/project_hook_policy.rb b/app/policies/project_hook_policy.rb
index c177fabb1ba..b4590c13670 100644
--- a/app/policies/project_hook_policy.rb
+++ b/app/policies/project_hook_policy.rb
@@ -1,10 +1,9 @@
 # frozen_string_literal: true
 
 class ProjectHookPolicy < ::BasePolicy
-  delegate(:project)
+  delegate { @subject.project }
 
   rule { can?(:admin_project) }.policy do
-    enable :read_web_hook
     enable :destroy_web_hook
   end
 end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 875520d24be..a955de77309 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -234,8 +234,12 @@ class ProjectPolicy < BasePolicy
     Gitlab.config.packages.enabled
   end
 
+  condition :terraform_state_disabled do
+    !Gitlab.config.terraform_state.enabled
+  end
+
   condition(:create_runner_workflow_enabled) do
-    Feature.enabled?(:create_runner_workflow)
+    Feature.enabled?(:create_runner_workflow_for_namespace, project.namespace)
   end
 
   # `:read_project` may be prevented in EE, but `:read_project_for_iids` should
@@ -257,6 +261,7 @@ class ProjectPolicy < BasePolicy
     enable :reporter_access
     enable :developer_access
     enable :maintainer_access
+    enable :add_catalog_resource
 
     enable :change_namespace
     enable :change_visibility_level
@@ -353,6 +358,7 @@ class ProjectPolicy < BasePolicy
     enable :read_ci_cd_analytics
     enable :read_external_emails
     enable :read_grafana
+    enable :export_work_items
   end
 
   # We define `:public_user_access` separately because there are cases in gitlab-ee
@@ -404,11 +410,15 @@ class ProjectPolicy < BasePolicy
   end
 
   rule { infrastructure_disabled }.policy do
-    prevent(*create_read_update_admin_destroy(:terraform_state))
     prevent(*create_read_update_admin_destroy(:cluster))
     prevent(:read_pod_logs)
     prevent(:read_prometheus)
     prevent(:admin_project_google_cloud)
+    prevent(:admin_project_aws)
+  end
+
+  rule { infrastructure_disabled | terraform_state_disabled }.policy do
+    prevent(*create_read_update_admin_destroy(:terraform_state))
   end
 
   rule { can?(:metrics_dashboard) }.policy do
@@ -429,6 +439,7 @@ class ProjectPolicy < BasePolicy
   rule { ~request_access_enabled }.prevent :request_access
 
   rule { can?(:developer_access) & can?(:create_issue) }.enable :import_issues
+  rule { can?(:reporter_access) & can?(:create_work_item) }.enable :import_work_items
 
   rule { can?(:developer_access) }.policy do
     enable :create_package
@@ -455,15 +466,15 @@ class ProjectPolicy < BasePolicy
     enable :create_deployment
     enable :update_deployment
     enable :read_cluster
+    enable :use_k8s_proxies
     enable :create_release
     enable :update_release
     enable :destroy_release
-    enable :create_metrics_dashboard_annotation
-    enable :delete_metrics_dashboard_annotation
-    enable :update_metrics_dashboard_annotation
+    enable :admin_metrics_dashboard_annotation
     enable :read_alert_management_alert
     enable :update_alert_management_alert
     enable :create_design
+    enable :update_design
     enable :move_design
     enable :destroy_design
     enable :read_terraform_state
@@ -477,7 +488,6 @@ class ProjectPolicy < BasePolicy
     enable :update_escalation_status
     enable :read_secure_files
     enable :update_sentry_issue
-    enable :read_airflow_dags
   end
 
   rule { can?(:developer_access) & user_confirmed? }.policy do
@@ -531,8 +541,8 @@ class ProjectPolicy < BasePolicy
     enable :create_project_runners
     enable :update_runners_registration_token
     enable :admin_project_google_cloud
+    enable :admin_project_aws
     enable :admin_secure_files
-    enable :read_web_hooks
     enable :read_upload
     enable :destroy_upload
     enable :admin_incident_management_timeline_event_tag
@@ -752,6 +762,7 @@ class ProjectPolicy < BasePolicy
     prevent :read_design
     prevent :read_design_activity
     prevent :create_design
+    prevent :update_design
     prevent :destroy_design
     prevent :move_design
   end
@@ -780,6 +791,7 @@ class ProjectPolicy < BasePolicy
   rule { write_package_registry_deploy_token }.policy do
     enable :create_package
     enable :read_package
+    enable :destroy_package
     enable :read_project
   end