diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-04-21 02:50:22 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-04-21 02:50:22 +0300 |
commit | 9dc93a4519d9d5d7be48ff274127136236a3adb3 (patch) | |
tree | 70467ae3692a0e35e5ea56bcb803eb512a10bedb /app/policies | |
parent | 4b0f34b6d759d6299322b3a54453e930c6121ff0 (diff) |
Add latest changes from gitlab-org/gitlab@13-11-stable-eev13.11.0-rc43
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/base_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/group_member_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/group_policy.rb | 20 | ||||
-rw-r--r-- | app/policies/note_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/packages/conan/file_metadatum_policy.rb | 8 | ||||
-rw-r--r-- | app/policies/packages/conan/metadatum_policy.rb | 8 | ||||
-rw-r--r-- | app/policies/packages/package_file_policy.rb | 6 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 27 | ||||
-rw-r--r-- | app/policies/timelog_policy.rb | 5 |
9 files changed, 68 insertions, 12 deletions
diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb index e32a889c906..1c19751cf0d 100644 --- a/app/policies/base_policy.rb +++ b/app/policies/base_policy.rb @@ -6,7 +6,7 @@ class BasePolicy < DeclarativePolicy::Base desc "User is an instance admin" with_options scope: :user, score: 0 condition(:admin) do - if Feature.enabled?(:user_mode_in_session) + if Gitlab::CurrentSettings.admin_mode Gitlab::Auth::CurrentUserMode.new(@user).admin_mode? else @user&.admin? diff --git a/app/policies/group_member_policy.rb b/app/policies/group_member_policy.rb index 1dd650c8a90..8a4cae232a0 100644 --- a/app/policies/group_member_policy.rb +++ b/app/policies/group_member_policy.rb @@ -4,7 +4,7 @@ class GroupMemberPolicy < BasePolicy delegate :group with_scope :subject - condition(:last_owner) { @subject.group.last_owner?(@subject.user) || @subject.group.last_blocked_owner?(@subject.user) } + condition(:last_owner) { @subject.group.member_last_owner?(@subject) || @subject.group.member_last_blocked_owner?(@subject) } desc "Membership is users' own" with_score 0 diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 53286cf1fdf..fc24525ade7 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -61,7 +61,8 @@ class GroupPolicy < BasePolicy end with_scope :subject - condition(:resource_access_token_available) { resource_access_token_available? } + condition(:resource_access_token_feature_available) { resource_access_token_feature_available? } + condition(:resource_access_token_creation_allowed) { resource_access_token_creation_allowed? } with_scope :subject condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? } @@ -130,6 +131,7 @@ class GroupPolicy < BasePolicy enable :read_prometheus enable :read_package enable :read_package_settings + enable :read_group_timelogs end rule { maintainer }.policy do @@ -212,8 +214,14 @@ class GroupPolicy < BasePolicy rule { developer & dependency_proxy_available } .enable :admin_dependency_proxy - rule { resource_access_token_available & can?(:admin_group) }.policy do - enable :admin_resource_access_tokens + rule { can?(:admin_group) & resource_access_token_feature_available }.policy do + enable :read_resource_access_tokens + enable :destroy_resource_access_tokens + enable :admin_setting_to_allow_project_access_token_creation + end + + rule { resource_access_token_creation_allowed & can?(:read_resource_access_tokens) }.policy do + enable :create_resource_access_tokens end rule { support_bot & has_project_with_service_desk_enabled }.policy do @@ -241,9 +249,13 @@ class GroupPolicy < BasePolicy @subject end - def resource_access_token_available? + def resource_access_token_feature_available? true end + + def resource_access_token_creation_allowed? + resource_access_token_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed? + end end GroupPolicy.prepend_if_ee('EE::GroupPolicy') diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb index 38f0f165376..d9ea7c38f11 100644 --- a/app/policies/note_policy.rb +++ b/app/policies/note_policy.rb @@ -76,7 +76,7 @@ class NotePolicy < BasePolicy def parent_namespace strong_memoize(:parent_namespace) do next if @subject.is_a?(PersonalSnippet) - next @subject.noteable.group if @subject.noteable&.is_a?(Epic) + next @subject.noteable.group if @subject.noteable.is_a?(Epic) @subject.project end diff --git a/app/policies/packages/conan/file_metadatum_policy.rb b/app/policies/packages/conan/file_metadatum_policy.rb new file mode 100644 index 00000000000..ac1ffb3ea93 --- /dev/null +++ b/app/policies/packages/conan/file_metadatum_policy.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true +module Packages + module Conan + class FileMetadatumPolicy < BasePolicy + delegate { @subject.package_file.package } + end + end +end diff --git a/app/policies/packages/conan/metadatum_policy.rb b/app/policies/packages/conan/metadatum_policy.rb new file mode 100644 index 00000000000..8622da015c6 --- /dev/null +++ b/app/policies/packages/conan/metadatum_policy.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true +module Packages + module Conan + class MetadatumPolicy < BasePolicy + delegate { @subject.package } + end + end +end diff --git a/app/policies/packages/package_file_policy.rb b/app/policies/packages/package_file_policy.rb new file mode 100644 index 00000000000..e98f74204e8 --- /dev/null +++ b/app/policies/packages/package_file_policy.rb @@ -0,0 +1,6 @@ +# frozen_string_literal: true +module Packages + class PackageFilePolicy < BasePolicy + delegate { @subject.package } + end +end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index de80f2f72b8..c577c8c8471 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -108,7 +108,8 @@ class ProjectPolicy < BasePolicy condition(:service_desk_enabled) { @subject.service_desk_enabled? } with_scope :subject - condition(:resource_access_token_available) { resource_access_token_available? } + condition(:resource_access_token_feature_available) { resource_access_token_feature_available? } + condition(:resource_access_token_creation_allowed) { resource_access_token_creation_allowed? } # We aren't checking `:read_issue` or `:read_merge_request` in this case # because it could be possible for a user to see an issuable-iid @@ -259,6 +260,7 @@ class ProjectPolicy < BasePolicy enable :read_confidential_issues enable :read_package enable :read_product_analytics + enable :read_group_timelogs end # We define `:public_user_access` separately because there are cases in gitlab-ee @@ -631,11 +633,18 @@ class ProjectPolicy < BasePolicy rule { project_bot }.enable :project_bot_access - rule { resource_access_token_available & can?(:admin_project) }.policy do - enable :admin_resource_access_tokens + rule { can?(:admin_project) & resource_access_token_feature_available }.policy do + enable :read_resource_access_tokens + enable :destroy_resource_access_tokens end - rule { can?(:project_bot_access) }.prevent :admin_resource_access_tokens + rule { can?(:read_resource_access_tokens) & resource_access_token_creation_allowed }.policy do + enable :create_resource_access_tokens + end + + rule { can?(:project_bot_access) }.policy do + prevent :create_resource_access_tokens + end rule { user_defined_variables_allowed | can?(:maintainer_access) }.policy do enable :set_pipeline_variables @@ -719,10 +728,18 @@ class ProjectPolicy < BasePolicy end end - def resource_access_token_available? + def resource_access_token_feature_available? true end + def resource_access_token_creation_allowed? + group = project.group + + return true unless group # always enable for projects in personal namespaces + + resource_access_token_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed? + end + def project @subject end diff --git a/app/policies/timelog_policy.rb b/app/policies/timelog_policy.rb new file mode 100644 index 00000000000..0598817d4e0 --- /dev/null +++ b/app/policies/timelog_policy.rb @@ -0,0 +1,5 @@ +# frozen_string_literal: true + +class TimelogPolicy < BasePolicy + delegate { @subject.issuable.resource_parent } +end |