diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-12-20 16:37:47 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-12-20 16:37:47 +0300 |
commit | aee0a117a889461ce8ced6fcf73207fe017f1d99 (patch) | |
tree | 891d9ef189227a8445d83f35c1b0fc99573f4380 /app/policies | |
parent | 8d46af3258650d305f53b819eabf7ab18d22f59e (diff) |
Add latest changes from gitlab-org/gitlab@14-6-stable-eev14.6.0-rc42
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/clusters/agents/activity_event_policy.rb | 11 | ||||
-rw-r--r-- | app/policies/group_policy.rb | 16 | ||||
-rw-r--r-- | app/policies/namespace_policy.rb | 3 | ||||
-rw-r--r-- | app/policies/namespaces/group_project_namespace_shared_policy.rb | 9 | ||||
-rw-r--r-- | app/policies/namespaces/project_namespace_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/namespaces/user_namespace_policy.rb | 5 |
6 files changed, 40 insertions, 6 deletions
diff --git a/app/policies/clusters/agents/activity_event_policy.rb b/app/policies/clusters/agents/activity_event_policy.rb new file mode 100644 index 00000000000..25fe1570b4b --- /dev/null +++ b/app/policies/clusters/agents/activity_event_policy.rb @@ -0,0 +1,11 @@ +# frozen_string_literal: true + +module Clusters + module Agents + class ActivityEventPolicy < BasePolicy + alias_method :event, :subject + + delegate { event.agent } + end + end +end diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 833d5b9bd34..5c4990ffd9b 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class GroupPolicy < BasePolicy +class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy include FindGroupProjects desc "Group is public" @@ -77,6 +77,11 @@ class GroupPolicy < BasePolicy condition(:crm_enabled, score: 0, scope: :subject) { Feature.enabled?(:customer_relations, @subject) } + with_scope :subject + condition(:group_runner_registration_allowed, score: 0, scope: :subject) do + Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('group') + end + rule { can?(:read_group) & design_management_enabled }.policy do enable :read_design_activity end @@ -157,6 +162,7 @@ class GroupPolicy < BasePolicy enable :destroy_package enable :create_projects enable :admin_pipeline + enable :admin_group_runners enable :admin_build enable :read_cluster enable :add_cluster @@ -199,6 +205,10 @@ class GroupPolicy < BasePolicy enable :read_nested_project_resources end + rule { can?(:admin_group_runners) }.policy do + enable :register_group_runners + end + rule { owner }.enable :create_subgroup rule { maintainer & maintainer_can_create_group }.enable :create_subgroup @@ -261,6 +271,10 @@ class GroupPolicy < BasePolicy prevent :admin_crm_organization end + rule { ~group_runner_registration_allowed }.policy do + prevent :register_group_runners + end + def access_level(for_any_session: false) return GroupMember::NO_ACCESS if @user.nil? return GroupMember::NO_ACCESS unless user_is_user? diff --git a/app/policies/namespace_policy.rb b/app/policies/namespace_policy.rb index 0cf1bcb9737..33c90d49f68 100644 --- a/app/policies/namespace_policy.rb +++ b/app/policies/namespace_policy.rb @@ -1,9 +1,10 @@ # frozen_string_literal: true -class NamespacePolicy < ::Namespaces::UserNamespacePolicy +class NamespacePolicy < BasePolicy # NamespacePolicy has been traditionally for user namespaces. # So these policies have been moved into Namespaces::UserNamespacePolicy. # Once the user namespace conversion is complete, we can look at # either removing this file or locating common namespace policy items # here. + # See https://gitlab.com/groups/gitlab-org/-/epics/6689 for details end diff --git a/app/policies/namespaces/group_project_namespace_shared_policy.rb b/app/policies/namespaces/group_project_namespace_shared_policy.rb new file mode 100644 index 00000000000..1ed9f05306f --- /dev/null +++ b/app/policies/namespaces/group_project_namespace_shared_policy.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +module Namespaces + class GroupProjectNamespaceSharedPolicy < ::NamespacePolicy + # Nothing here at the moment, but as we move policies from ProjectPolicy to ProjectNamespacePolicy, + # anything common with GroupPolicy but not with UserNamespacePolicy can go in here. + # See https://gitlab.com/groups/gitlab-org/-/epics/6689 + end +end diff --git a/app/policies/namespaces/project_namespace_policy.rb b/app/policies/namespaces/project_namespace_policy.rb index bc08a7a45ed..33aadc7c411 100644 --- a/app/policies/namespaces/project_namespace_policy.rb +++ b/app/policies/namespaces/project_namespace_policy.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true module Namespaces - class ProjectNamespacePolicy < BasePolicy + class ProjectNamespacePolicy < Namespaces::GroupProjectNamespaceSharedPolicy # For now users are not granted any permissions on project namespace # as it's completely hidden to them. When we start using project # namespaces in queries, we will have to extend this policy. diff --git a/app/policies/namespaces/user_namespace_policy.rb b/app/policies/namespaces/user_namespace_policy.rb index f8b285e5312..09b0f5d608d 100644 --- a/app/policies/namespaces/user_namespace_policy.rb +++ b/app/policies/namespaces/user_namespace_policy.rb @@ -1,10 +1,9 @@ # frozen_string_literal: true module Namespaces - class UserNamespacePolicy < BasePolicy + class UserNamespacePolicy < ::NamespacePolicy rule { anonymous }.prevent_all - condition(:personal_project, scope: :subject) { @subject.kind == 'user' } condition(:can_create_personal_project, scope: :user) { @user.can_create_project? } condition(:owner) { @subject.owner == @user } @@ -19,7 +18,7 @@ module Namespaces enable :read_package_settings end - rule { personal_project & ~can_create_personal_project }.prevent :create_projects + rule { ~can_create_personal_project }.prevent :create_projects rule { (owner | admin) & can?(:create_projects) }.enable :transfer_projects end |