Add latest changes from gitlab-org/gitlab@15-9-stable-eev15.9.0-rc42

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-02-20 16:49:51 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-02-20 16:49:51 +0300
commit: 71786ddc8e28fbd3cb3fcc4b3ff15e5962a1c82e (patch)
tree: 6a2d93ef3fb2d353bb7739e4b57e6541f51cdd71 /app/policies
parent: a7253423e3403b8c08f8a161e5937e1488f5f407 (diff)
7 files changed, 53 insertions, 32 deletions
diff --git a/app/policies/ci/runner_policy.rb b/app/policies/ci/runner_policy.rb
index 1c23b367489..7b01dccff87 100644
--- a/app/policies/ci/runner_policy.rb
+++ b/app/policies/ci/runner_policy.rb
@@ -9,6 +9,10 @@ module Ci
       @user.owns_runner?(@subject)
     end
 
+    condition(:creator) do
+      @user == @subject.creator
+    end
+
     with_options scope: :subject, score: 0
     condition(:is_instance_runner) do
       @subject.instance_type?
@@ -72,6 +76,8 @@ module Ci
     rule { ~admin & belongs_to_multiple_projects }.prevent :delete_runner
 
     rule { ~admin & locked }.prevent :assign_runner
+
+    rule { creator }.enable :read_ephemeral_token
   end
 end
 
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index fa7b117f3cd..d028738ccc9 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -22,6 +22,10 @@ class GlobalPolicy < BasePolicy
   condition(:project_bot, scope: :user) { @user&.project_bot? }
   condition(:migration_bot, scope: :user) { @user&.migration_bot? }
 
+  condition(:create_runner_workflow_enabled) do
+    Feature.enabled?(:create_runner_workflow)
+  end
+
   rule { anonymous }.policy do
     prevent :log_in
     prevent :receive_notifications
@@ -115,6 +119,11 @@ class GlobalPolicy < BasePolicy
     enable :approve_user
     enable :reject_user
     enable :read_usage_trends_measurement
+    enable :create_instance_runners
+  end
+
+  rule { ~create_runner_workflow_enabled }.policy do
+    prevent :create_instance_runners
   end
 
   # We can't use `read_statistics` because the user may have different permissions for different projects
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index b2325b7acac..6cc65248914 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -76,6 +76,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   with_scope :subject
   condition(:resource_access_token_feature_available) { resource_access_token_feature_available? }
   condition(:resource_access_token_creation_allowed) { resource_access_token_creation_allowed? }
+  condition(:resource_access_token_create_feature_available) { resource_access_token_create_feature_available? }
 
   with_scope :subject
   condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? }
@@ -83,6 +84,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   with_scope :subject
   condition(:crm_enabled, score: 0, scope: :subject) { @subject.crm_enabled? }
 
+  condition(:create_runner_workflow_enabled) do
+    Feature.enabled?(:create_runner_workflow)
+  end
+
   condition(:group_runner_registration_allowed, scope: :subject) do
     Gitlab::CurrentSettings.valid_runner_registrars.include?('group') && @subject.runner_registration_enabled?
   end
@@ -199,6 +204,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     enable :read_group_runners
     enable :admin_group_runners
     enable :register_group_runners
+    enable :create_group_runners
 
     enable :set_note_created_at
     enable :set_emails_disabled
@@ -277,8 +283,8 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     enable :destroy_resource_access_tokens
   end
 
-  rule { can?(:admin_group) & resource_access_token_creation_allowed }.policy do
-    enable :admin_setting_to_allow_project_access_token_creation
+  rule { can?(:admin_group) & resource_access_token_create_feature_available }.policy do
+    enable :admin_setting_to_allow_resource_access_token_creation
   end
 
   rule { resource_access_token_creation_allowed & can?(:read_resource_access_tokens) }.policy do
@@ -307,6 +313,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
 
   rule { ~admin & ~group_runner_registration_allowed }.policy do
     prevent :register_group_runners
+    prevent :create_group_runners
   end
 
   rule { migration_bot }.policy do
@@ -318,6 +325,13 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     enable :read_observability
   end
 
+  rule { ~create_runner_workflow_enabled }.policy do
+    prevent :create_group_runners
+  end
+
+  # Should be matched with ProjectPolicy#read_internal_note
+  rule { admin | reporter }.enable :read_internal_note
+
   def access_level(for_any_session: false)
     return GroupMember::NO_ACCESS if @user.nil?
     return GroupMember::NO_ACCESS unless user_is_user?
diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb
index 52796ed1a1d..496708a9737 100644
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -57,11 +57,6 @@ class IssuablePolicy < BasePolicy
     enable :read_issuable
     enable :read_issuable_participables
   end
-
-  # This rule replicates permissions in NotePolicy#can_read_internal_note
-  rule { can?(:reporter_access) | admin }.policy do
-    enable :read_internal_note
-  end
 end
 
 IssuablePolicy.prepend_mod_with('IssuablePolicy')
diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb
index ccc095f37da..189609c2600 100644
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -26,12 +26,6 @@ class NotePolicy < BasePolicy
       @subject.noteable.work_item_type.widgets.include?(::WorkItems::Widgets::Notes)
   end
 
-  # Should be matched with IssuablePolicy#read_internal_note
-  # and EpicPolicy#read_internal_note
-  condition(:can_read_internal_note) do
-    access_level >= Gitlab::Access::REPORTER || admin?
-  end
-
   rule { ~notes_widget_enabled }.prevent_all
 
   rule { ~editable }.prevent :admin_note
@@ -67,11 +61,11 @@ class NotePolicy < BasePolicy
     enable :resolve_note
   end
 
-  rule { can_read_internal_note }.policy do
+  rule { can?(:read_internal_note) }.policy do
     enable :mark_note_as_internal
   end
 
-  rule { internal & ~can_read_internal_note }.policy do
+  rule { internal & ~can?(:read_internal_note) }.policy do
     prevent :read_note
     prevent :admin_note
     prevent :resolve_note
diff --git a/app/policies/packages/policies/project_policy.rb b/app/policies/packages/policies/project_policy.rb
index 0fb5953f2aa..35161fd95f1 100644
--- a/app/policies/packages/policies/project_policy.rb
+++ b/app/policies/packages/policies/project_policy.rb
@@ -7,25 +7,10 @@ module Packages
 
       overrides(:read_package)
 
-      condition(:package_registry_access_level_feature_flag_enabled, scope: :subject) do
-        ::Feature.enabled?(:package_registry_access_level, @subject)
-      end
-
       condition(:packages_enabled_for_everyone, scope: :subject) do
         @subject.package_registry_access_level == ProjectFeature::PUBLIC
       end
 
-      # This rule can be removed if the `package_registry_access_level` feature flag is removed.
-      # Reason: If the feature flag is globally enabled, this rule will never be executed.
-      rule { anonymous & ~project.public_project & ~package_registry_access_level_feature_flag_enabled }.prevent_all
-
-      # This rule can be removed if the `package_registry_access_level` feature flag is removed.
-      # Reason: If the feature flag is globally enabled, this rule will never be executed.
-      rule do
-        ~project.public_project & ~project.internal_access &
-          ~project.project_allowed_for_job_token & ~package_registry_access_level_feature_flag_enabled
-      end.prevent_all
-
       rule { project.packages_disabled }.policy do
         prevent(:read_package)
       end
@@ -46,7 +31,7 @@ module Packages
         enable :read_package
       end
 
-      rule { package_registry_access_level_feature_flag_enabled & packages_enabled_for_everyone }.policy do
+      rule { packages_enabled_for_everyone }.policy do
         enable :read_package
       end
     end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index b85a57f81cd..875520d24be 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -121,7 +121,7 @@ class ProjectPolicy < BasePolicy
 
   desc "If user is authenticated via CI job token then the target project should be in scope"
   condition(:project_allowed_for_job_token) do
-    !@user&.from_ci_job_token? || @user.ci_job_token_scope.allows?(project)
+    !@user&.from_ci_job_token? || @user.ci_job_token_scope.accessible?(project)
   end
 
   with_scope :subject
@@ -234,6 +234,10 @@ class ProjectPolicy < BasePolicy
     Gitlab.config.packages.enabled
   end
 
+  condition(:create_runner_workflow_enabled) do
+    Feature.enabled?(:create_runner_workflow)
+  end
+
   # `:read_project` may be prevented in EE, but `:read_project_for_iids` should
   # not.
   rule { guest | admin }.enable :read_project_for_iids
@@ -272,6 +276,7 @@ class ProjectPolicy < BasePolicy
     enable :set_warn_about_potentially_unwanted_characters
 
     enable :register_project_runners
+    enable :create_project_runners
     enable :manage_owners
   end
 
@@ -301,6 +306,8 @@ class ProjectPolicy < BasePolicy
 
   rule { can?(:reporter_access) & can?(:create_issue) }.enable :create_incident
 
+  rule { can?(:reporter_access) & can?(:read_environment) }.enable :read_freeze_period
+
   rule { can?(:create_issue) }.enable :create_work_item
 
   rule { can?(:create_issue) }.enable :create_task
@@ -344,6 +351,7 @@ class ProjectPolicy < BasePolicy
     enable :read_package
     enable :read_product_analytics
     enable :read_ci_cd_analytics
+    enable :read_external_emails
     enable :read_grafana
   end
 
@@ -469,6 +477,7 @@ class ProjectPolicy < BasePolicy
     enable :update_escalation_status
     enable :read_secure_files
     enable :update_sentry_issue
+    enable :read_airflow_dags
   end
 
   rule { can?(:developer_access) & user_confirmed? }.policy do
@@ -519,6 +528,7 @@ class ProjectPolicy < BasePolicy
     enable :destroy_freeze_period
     enable :admin_feature_flags_client
     enable :register_project_runners
+    enable :create_project_runners
     enable :update_runners_registration_token
     enable :admin_project_google_cloud
     enable :admin_secure_files
@@ -823,6 +833,7 @@ class ProjectPolicy < BasePolicy
 
   rule { ~admin & ~project_runner_registration_allowed }.policy do
     prevent :register_project_runners
+    prevent :create_project_runners
   end
 
   rule { can?(:admin_project_member) }.policy do
@@ -847,6 +858,13 @@ class ProjectPolicy < BasePolicy
     enable :read_code
   end
 
+  rule { ~create_runner_workflow_enabled }.policy do
+    prevent :create_project_runners
+  end
+
+  # Should be matched with GroupPolicy#read_internal_note
+  rule { admin | can?(:reporter_access) }.enable :read_internal_note
+
   private
 
   def user_is_user?
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-02-20 16:49:51 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-02-20 16:49:51 +0300
commit	71786ddc8e28fbd3cb3fcc4b3ff15e5962a1c82e (patch)
tree	6a2d93ef3fb2d353bb7739e4b57e6541f51cdd71 /app/policies
parent	a7253423e3403b8c08f8a161e5937e1488f5f407 (diff)