Add latest changes from gitlab-org/gitlab@15-0-stable-eev15.0.0-rc42

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-05-19 10:33:21 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-05-19 10:33:21 +0300
commit: 36a59d088eca61b834191dacea009677a96c052f (patch)
tree: e4f33972dab5d8ef79e3944a9f403035fceea43f /app/policies
parent: a1761f15ec2cae7c7f7bbda39a75494add0dfd6f (diff)
9 files changed, 65 insertions, 18 deletions
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 7a49ad3d4aa..a4600c720a3 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -22,6 +22,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   condition(:share_with_group_locked, scope: :subject) { @subject.share_with_group_lock? }
   condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? }
   condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) }
+  condition(:migration_bot, scope: :user) { @user.migration_bot? }
 
   desc "User is a project bot"
   condition(:project_bot) { user.project_bot? && access_level >= GroupMember::GUEST }
@@ -54,11 +55,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   end
 
   condition(:dependency_proxy_access_allowed) do
-    if Feature.enabled?(:dependency_proxy_for_private_groups, default_enabled: true)
-      access_level(for_any_session: true) >= GroupMember::GUEST || valid_dependency_proxy_deploy_token
-    else
-      can?(:read_group)
-    end
+    access_level(for_any_session: true) >= GroupMember::GUEST || valid_dependency_proxy_deploy_token
   end
 
   desc "Deploy token with read_package_registry scope"
@@ -81,7 +78,11 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   condition(:crm_enabled, score: 0, scope: :subject) { Feature.enabled?(:customer_relations, @subject) && @subject.crm_enabled? }
 
   condition(:group_runner_registration_allowed) do
-    Feature.disabled?(:runner_registration_control, default_enabled: :yaml) || Gitlab::CurrentSettings.valid_runner_registrars.include?('group')
+    Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('group')
+  end
+
+  condition(:change_prevent_sharing_groups_outside_hierarchy_available) do
+    change_prevent_sharing_groups_outside_hierarchy_available?
   end
 
   rule { can?(:read_group) & design_management_enabled }.policy do
@@ -134,13 +135,11 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   rule { has_access }.enable :read_namespace
 
   rule { developer }.policy do
-    enable :admin_milestone
     enable :create_metrics_dashboard_annotation
     enable :delete_metrics_dashboard_annotation
     enable :update_metrics_dashboard_annotation
     enable :create_custom_emoji
     enable :create_package
-    enable :create_package_settings
     enable :developer_access
     enable :admin_crm_organization
     enable :admin_crm_contact
@@ -152,18 +151,19 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     enable :read_container_image
     enable :admin_issue_board
     enable :admin_label
+    enable :admin_milestone
     enable :admin_issue_board_list
     enable :admin_issue
     enable :read_metrics_dashboard_annotation
     enable :read_prometheus
     enable :read_package
-    enable :read_package_settings
     enable :read_crm_organization
     enable :read_crm_contact
   end
 
   rule { maintainer }.policy do
     enable :destroy_package
+    enable :admin_package
     enable :create_projects
     enable :admin_pipeline
     enable :admin_build
@@ -188,7 +188,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
 
     enable :set_note_created_at
     enable :set_emails_disabled
-    enable :change_prevent_sharing_groups_outside_hierarchy
     enable :change_new_user_signups_cap
     enable :update_default_branch_protection
     enable :create_deploy_token
@@ -197,6 +196,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     enable :owner_access
   end
 
+  rule { owner & change_prevent_sharing_groups_outside_hierarchy_available }.policy do
+    enable :change_prevent_sharing_groups_outside_hierarchy
+  end
+
   rule { can?(:read_nested_project_resources) }.policy do
     enable :read_group_activity
     enable :read_group_issues
@@ -248,7 +251,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   rule { dependency_proxy_access_allowed & dependency_proxy_available }
     .enable :read_dependency_proxy
 
-  rule { developer & dependency_proxy_available }.policy do
+  rule { maintainer & dependency_proxy_available }.policy do
     enable :admin_dependency_proxy
   end
 
@@ -283,6 +286,11 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     prevent :register_group_runners
   end
 
+  rule { migration_bot }.policy do
+    enable :read_resource_access_tokens
+    enable :destroy_resource_access_tokens
+  end
+
   def access_level(for_any_session: false)
     return GroupMember::NO_ACCESS if @user.nil?
     return GroupMember::NO_ACCESS unless user_is_user?
@@ -315,6 +323,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   def valid_dependency_proxy_deploy_token
     @user.is_a?(DeployToken) && @user&.valid_for_dependency_proxy? && @user&.has_access_to_group?(@subject)
   end
+
+  def change_prevent_sharing_groups_outside_hierarchy_available?
+    true
+  end
 end
 
 GroupPolicy.prepend_mod_with('GroupPolicy')
diff --git a/app/policies/incident_management/timeline_event_policy.rb b/app/policies/incident_management/timeline_event_policy.rb
new file mode 100644
index 00000000000..514a2bf0a56
--- /dev/null
+++ b/app/policies/incident_management/timeline_event_policy.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module IncidentManagement
+  class TimelineEventPolicy < ::BasePolicy
+    delegate { @subject.incident }
+  end
+end
diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb
index ed5a0f24ed0..4e6df79773e 100644
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -34,6 +34,14 @@ class IssuablePolicy < BasePolicy
     prevent :resolve_note
     prevent :award_emoji
   end
+
+  rule { can?(:read_issue) }.policy do
+    enable :read_incident_management_timeline_event
+  end
+
+  rule { can?(:read_issue) & can?(:developer_access) }.policy do
+    enable :admin_incident_management_timeline_event
+  end
 end
 
 IssuablePolicy.prepend_mod_with('IssuablePolicy')
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index a667c843bc6..a341d1ef661 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -12,8 +12,11 @@ class IssuePolicy < IssuablePolicy
     @user && IssueCollection.new([@subject]).visible_to(@user).any?
   end
 
-  desc "User can read contacts belonging to the issue group"
-  condition(:can_read_crm_contacts, scope: :subject) { @user.can?(:read_crm_contact, @subject.project.root_ancestor) }
+  desc "Project belongs to a group, crm is enabled and user can read contacts in the root group"
+  condition(:can_read_crm_contacts, scope: :subject) do
+    subject.project.group&.crm_enabled? &&
+      @user.can?(:read_crm_contact, @subject.project.root_ancestor)
+  end
 
   desc "Issue is confidential"
   condition(:confidential, scope: :subject) { @subject.confidential? }
@@ -81,6 +84,10 @@ class IssuePolicy < IssuablePolicy
     enable :set_confidentiality
   end
 
+  rule { can_read_crm_contacts }.policy do
+    enable :read_crm_contacts
+  end
+
   rule { can?(:set_issue_metadata) & can_read_crm_contacts }.policy do
     enable :set_issue_crm_contacts
   end
diff --git a/app/policies/namespace_ci_cd_setting_policy.rb b/app/policies/namespace_ci_cd_setting_policy.rb
new file mode 100644
index 00000000000..d883526b86d
--- /dev/null
+++ b/app/policies/namespace_ci_cd_setting_policy.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class NamespaceCiCdSettingPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedClass
+  delegate { @subject.namespace }
+end
diff --git a/app/policies/namespaces/user_namespace_policy.rb b/app/policies/namespaces/user_namespace_policy.rb
index 09b0f5d608d..028247497e5 100644
--- a/app/policies/namespaces/user_namespace_policy.rb
+++ b/app/policies/namespaces/user_namespace_policy.rb
@@ -14,8 +14,7 @@ module Namespaces
       enable :read_namespace
       enable :read_statistics
       enable :create_jira_connect_subscription
-      enable :create_package_settings
-      enable :read_package_settings
+      enable :admin_package
     end
 
     rule { ~can_create_personal_project }.prevent :create_projects
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 68b288bdc87..60519dc346b 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -195,7 +195,7 @@ class ProjectPolicy < BasePolicy
   end
 
   condition(:project_runner_registration_allowed) do
-    Feature.disabled?(:runner_registration_control, default_enabled: :yaml) || Gitlab::CurrentSettings.valid_runner_registrars.include?('project')
+    Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('project')
   end
 
   # `:read_project` may be prevented in EE, but `:read_project_for_iids` should
@@ -285,6 +285,7 @@ class ProjectPolicy < BasePolicy
     enable :reopen_issue
     enable :admin_issue
     enable :admin_label
+    enable :admin_milestone
     enable :admin_issue_board_list
     enable :admin_issue_link
     enable :read_commit_status
@@ -370,7 +371,6 @@ class ProjectPolicy < BasePolicy
     enable :create_package
     enable :admin_issue_board
     enable :admin_merge_request
-    enable :admin_milestone
     enable :update_merge_request
     enable :reopen_merge_request
     enable :create_commit_status
diff --git a/app/policies/timelog_policy.rb b/app/policies/timelog_policy.rb
index f71c4204639..02380604c60 100644
--- a/app/policies/timelog_policy.rb
+++ b/app/policies/timelog_policy.rb
@@ -2,4 +2,11 @@
 
 class TimelogPolicy < BasePolicy
   delegate { @subject.issuable }
+
+  desc "User who created the timelog"
+  condition(:is_author) { @user && @subject.user == @user }
+
+  rule { is_author | can?(:maintainer_access) }.policy do
+    enable :admin_timelog
+  end
 end
diff --git a/app/policies/work_item_policy.rb b/app/policies/work_item_policy.rb
index b4723bc7ed8..e191e8d26ca 100644
--- a/app/policies/work_item_policy.rb
+++ b/app/policies/work_item_policy.rb
@@ -1,7 +1,9 @@
 # frozen_string_literal: true
 
 class WorkItemPolicy < IssuePolicy
-  rule { can?(:owner_access) | is_author }.enable :delete_work_item
+  condition(:is_member_and_author) { is_project_member? & is_author? }
+
+  rule { can?(:destroy_issue) | is_member_and_author }.enable :delete_work_item
 
   rule { can?(:update_issue) }.enable :update_work_item
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-05-19 10:33:21 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-05-19 10:33:21 +0300
commit	36a59d088eca61b834191dacea009677a96c052f (patch)
tree	e4f33972dab5d8ef79e3944a9f403035fceea43f /app/policies
parent	a1761f15ec2cae7c7f7bbda39a75494add0dfd6f (diff)