diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-08-03 01:29:43 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-08-03 01:29:43 +0300 |
commit | c7c74818948dbc63a284bb617b2af1937f999cc8 (patch) | |
tree | e34c4d4103dca7b2877e766f540415d4cf10a085 /app/policies | |
parent | 6cb0610108a079ae27d96d61c48216a9f3b0c476 (diff) |
Add latest changes from gitlab-org/security/gitlab@14-1-stable-ee
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/issue_policy.rb | 13 | ||||
-rw-r--r-- | app/policies/personal_access_token_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 1 |
3 files changed, 14 insertions, 2 deletions
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb index e58179e320d..053243e2296 100644 --- a/app/policies/issue_policy.rb +++ b/app/policies/issue_policy.rb @@ -44,7 +44,18 @@ class IssuePolicy < IssuablePolicy enable :update_subscription end - rule { ~persisted & can?(:guest_access) }.policy do + # admin can set metadata on new issues + rule { ~persisted & admin }.policy do + enable :set_issue_metadata + end + + # support bot needs to be able to set metadata on new issues when service desk is enabled + rule { ~persisted & support_bot & can?(:guest_access) }.policy do + enable :set_issue_metadata + end + + # guest members need to be able to set issue metadata per https://gitlab.com/gitlab-org/gitlab/-/issues/300100 + rule { ~persisted & is_project_member & can?(:guest_access) }.policy do enable :set_issue_metadata end diff --git a/app/policies/personal_access_token_policy.rb b/app/policies/personal_access_token_policy.rb index 1e5404b7822..31c973f575b 100644 --- a/app/policies/personal_access_token_policy.rb +++ b/app/policies/personal_access_token_policy.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true class PersonalAccessTokenPolicy < BasePolicy - condition(:is_owner) { user && subject.user_id == user.id } + condition(:is_owner) { user && subject.user_id == user.id && !subject.impersonation } rule { (is_owner | admin) & ~blocked }.policy do enable :read_token diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 85547834a2e..fc959c5c6cb 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -673,6 +673,7 @@ class ProjectPolicy < BasePolicy rule { support_bot & ~service_desk_enabled }.policy do prevent :create_note prevent :read_project + prevent :guest_access end rule { project_bot }.enable :project_bot_access |