diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-07 01:30:08 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-01-07 01:30:24 +0300 |
commit | b9b8440df6afd24ba540343c612e522f52bea0db (patch) | |
tree | aecce7c15523692907d333edeb7c4f1a6d1044fc /app/policies | |
parent | e4a92d342784ccbb929e7d2b1faa42d6c2f591a3 (diff) |
Add latest changes from gitlab-org/security/gitlab@15-7-stable-ee
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/group_policy.rb | 9 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 10 |
2 files changed, 16 insertions, 3 deletions
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 858c145de3f..8eea995529c 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -273,6 +273,9 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy rule { can?(:admin_group) & resource_access_token_feature_available }.policy do enable :read_resource_access_tokens enable :destroy_resource_access_tokens + end + + rule { can?(:admin_group) & resource_access_token_creation_allowed }.policy do enable :admin_setting_to_allow_project_access_token_creation end @@ -338,12 +341,16 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy true end + def resource_access_token_create_feature_available? + true + end + def can_read_group_member? !(@subject.private? && access_level == GroupMember::NO_ACCESS) end def resource_access_token_creation_allowed? - resource_access_token_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed? + resource_access_token_create_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed? end def valid_dependency_proxy_deploy_token diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 2a13fafa313..fd3dbb54d57 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -157,7 +157,9 @@ class ProjectPolicy < BasePolicy condition(:service_desk_enabled) { @subject.service_desk_enabled? } with_scope :subject - condition(:resource_access_token_feature_available) { resource_access_token_feature_available? } + condition(:resource_access_token_feature_available) do + resource_access_token_feature_available? + end condition(:resource_access_token_creation_allowed) { resource_access_token_creation_allowed? } # We aren't checking `:read_issue` or `:read_merge_request` in this case @@ -922,12 +924,16 @@ class ProjectPolicy < BasePolicy true end + def resource_access_token_create_feature_available? + true + end + def resource_access_token_creation_allowed? group = project.group return true unless group # always enable for projects in personal namespaces - resource_access_token_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed? + resource_access_token_create_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed? end def project |