diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-05-17 19:05:49 +0300 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-05-17 19:05:49 +0300 |
| commit | 43a25d93ebdabea52f99b05e15b06250cd8f07d7 (patch) | |
| tree | dceebdc68925362117480a5d672bcff122fb625b /app/policies | |
| parent | 20c84b99005abd1c82101dfeff264ac50d2df211 (diff) | |
Add latest changes from gitlab-org/gitlab@16-0-stable-eev16.0.0-rc42
Diffstat (limited to 'app/policies')
23 files changed, 236 insertions, 64 deletions
diff --git a/app/policies/abuse_report_policy.rb b/app/policies/abuse_report_policy.rb new file mode 100644 index 00000000000..f1f994e6a42 --- /dev/null +++ b/app/policies/abuse_report_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +class AbuseReportPolicy < ::BasePolicy + rule { admin }.policy do + enable :read_abuse_report + end +end diff --git a/app/policies/achievements/user_achievement_policy.rb b/app/policies/achievements/user_achievement_policy.rb new file mode 100644 index 00000000000..05650a05490 --- /dev/null +++ b/app/policies/achievements/user_achievement_policy.rb @@ -0,0 +1,12 @@ +# frozen_string_literal: true + +module Achievements + class UserAchievementPolicy < ::BasePolicy + delegate { @subject.achievement.namespace } + delegate { @subject.user } + + rule { can?(:read_user_profile) | can?(:admin_achievement) }.enable :read_user_achievement + + rule { ~can?(:read_achievement) }.prevent :read_user_achievement + end +end diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb index 1ce866bd910..d6aaa3e983d 100644 --- a/app/policies/base_policy.rb +++ b/app/policies/base_policy.rb @@ -35,10 +35,18 @@ class BasePolicy < DeclarativePolicy::Base with_options scope: :user, score: 0 condition(:security_bot) { @user&.security_bot? } + desc "User is security policy bot" + with_options scope: :user, score: 0 + condition(:security_policy_bot) { @user&.security_policy_bot? } + desc "User is automation bot" with_options scope: :user, score: 0 condition(:automation_bot) { @user&.automation_bot? } + desc "User is llm bot" + with_options scope: :user, score: 0 + condition(:llm_bot) { @user&.llm_bot? } + desc "User email is unconfirmed or user account is locked" with_options scope: :user, score: 0 condition(:inactive) { @user&.confirmation_required_on_sign_in? || @user&.access_locked? } @@ -63,7 +71,7 @@ class BasePolicy < DeclarativePolicy::Base end rule { admin }.policy do - # Only for actual administrator accounts, behaviour affected by admin mode application setting + # Only for actual administrator accounts, behavior affected by admin mode application setting enable :admin_all_resources # Policy extended in EE to also enable auditors enable :read_all_resources diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index ca0b51e1385..73e4cbee54a 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -71,13 +71,17 @@ module Ci can?(:developer_access, @subject.project) end + # Use admin_ci_minutes for detailed quota and usage reporting + # this is limited to total usage and total quota for a builds namespace + rule { can_read_project_build }.enable :read_ci_minutes_limited_summary + rule { can_read_project_build }.enable :read_build_trace rule { debug_mode & ~project_update_build }.prevent :read_build_trace # Authorizing the user to access to protected entities. # There is a "jailbreak" mode to exceptionally bypass the authorization, # however, you should NEVER allow it, rather suspect it's a wrong feature/product design. - rule { ~can?(:jailbreak) & (archived | protected_ref | protected_environment) }.policy do + rule { ~can?(:jailbreak) & (archived | (protected_ref & ~admin) | protected_environment) }.policy do prevent :update_build prevent :update_commit_status prevent :erase_build diff --git a/app/policies/ci/pipeline_schedule_policy.rb b/app/policies/ci/pipeline_schedule_policy.rb index 3a674bfef92..7b0d484f9f7 100644 --- a/app/policies/ci/pipeline_schedule_policy.rb +++ b/app/policies/ci/pipeline_schedule_policy.rb @@ -23,6 +23,10 @@ module Ci enable :update_pipeline_schedule end + # `take_ownership_pipeline_schedule` is deprecated, and should not be used. It can be removed in 17.0 + # once the deprecated field `take_ownership_pipeline_schedule` is removed from the GraphQL type + # `PermissionTypes::Ci::PipelineSchedules`. + # Use `admin_pipeline_schedule` to decide if a user has the ability to take ownership of a pipeline schedule. rule { can?(:admin_pipeline_schedule) & ~owner_of_schedule }.policy do enable :take_ownership_pipeline_schedule end diff --git a/app/policies/ci/runner_manager_policy.rb b/app/policies/ci/runner_manager_policy.rb new file mode 100644 index 00000000000..43e81e373fc --- /dev/null +++ b/app/policies/ci/runner_manager_policy.rb @@ -0,0 +1,18 @@ +# frozen_string_literal: true + +module Ci + class RunnerManagerPolicy < BasePolicy + with_options scope: :subject, score: 0 + + condition(:can_read_runner, scope: :subject) do + can?(:read_runner, @subject.runner) + end + + rule { anonymous }.prevent_all + + rule { can_read_runner }.policy do + enable :read_builds + enable :read_runner_manager + end + end +end diff --git a/app/policies/clusters/agent_policy.rb b/app/policies/clusters/agent_policy.rb index 25e78c84802..ecd83cceb8b 100644 --- a/app/policies/clusters/agent_policy.rb +++ b/app/policies/clusters/agent_policy.rb @@ -5,5 +5,19 @@ module Clusters alias_method :cluster_agent, :subject delegate { cluster_agent.project } + + # This condition is more expensive than the same permission check in ProjectPolicy, + # so having a higher score. + condition(:ci_access_authorized_agent, score: 10) do + @subject.ci_access_authorized_for?(@user) + end + + condition(:user_access_authorized_agent, score: 10) do + @subject.user_access_authorized_for?(@user) + end + + rule { ci_access_authorized_agent | user_access_authorized_agent }.policy do + enable :read_cluster_agent + end end end diff --git a/app/policies/clusters/instance_policy.rb b/app/policies/clusters/instance_policy.rb index 3c5ca4bf4e1..2781e943bae 100644 --- a/app/policies/clusters/instance_policy.rb +++ b/app/policies/clusters/instance_policy.rb @@ -9,6 +9,7 @@ module Clusters enable :update_cluster enable :admin_cluster enable :read_prometheus + enable :use_k8s_proxies end end end diff --git a/app/policies/concerns/archived_abilities.rb b/app/policies/concerns/archived_abilities.rb index b4dfad599c7..7d61f83528e 100644 --- a/app/policies/concerns/archived_abilities.rb +++ b/app/policies/concerns/archived_abilities.rb @@ -37,6 +37,7 @@ module ArchivedAbilities pages cluster release + timelog ].freeze class_methods do diff --git a/app/policies/concerns/policy_actor.rb b/app/policies/concerns/policy_actor.rb index 8fa09683b06..e000f1514e5 100644 --- a/app/policies/concerns/policy_actor.rb +++ b/app/policies/concerns/policy_actor.rb @@ -53,6 +53,10 @@ module PolicyActor false end + def security_policy_bot? + false + end + def automation_bot? false end diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index d028738ccc9..b96ad9a73c8 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -22,10 +22,12 @@ class GlobalPolicy < BasePolicy condition(:project_bot, scope: :user) { @user&.project_bot? } condition(:migration_bot, scope: :user) { @user&.migration_bot? } - condition(:create_runner_workflow_enabled) do - Feature.enabled?(:create_runner_workflow) + condition(:create_runner_workflow_enabled, scope: :user) do + Feature.enabled?(:create_runner_workflow_for_admin, @user) end + condition(:service_account, scope: :user) { @user&.service_account? } + rule { anonymous }.policy do prevent :log_in prevent :receive_notifications @@ -60,11 +62,15 @@ class GlobalPolicy < BasePolicy rule { ~can?(:access_api) }.prevent :execute_graphql_mutation - rule { blocked | (internal & ~migration_bot & ~security_bot) }.policy do + rule { blocked | (internal & ~migration_bot & ~security_bot & ~security_policy_bot) }.policy do prevent :access_git end - rule { project_bot }.policy do + rule { security_policy_bot }.policy do + enable :access_git + end + + rule { project_bot | service_account }.policy do prevent :log_in prevent :receive_notifications end @@ -119,11 +125,11 @@ class GlobalPolicy < BasePolicy enable :approve_user enable :reject_user enable :read_usage_trends_measurement - enable :create_instance_runners + enable :create_instance_runner end rule { ~create_runner_workflow_enabled }.policy do - prevent :create_instance_runners + prevent :create_instance_runner end # We can't use `read_statistics` because the user may have different permissions for different projects diff --git a/app/policies/group_label_policy.rb b/app/policies/group_label_policy.rb index 4a848e44fec..08d811d3dfa 100644 --- a/app/policies/group_label_policy.rb +++ b/app/policies/group_label_policy.rb @@ -1,5 +1,5 @@ # frozen_string_literal: true class GroupLabelPolicy < BasePolicy - delegate { @subject.parent_container } + delegate { @subject.preloaded_parent_container } end diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 6cc65248914..285721de387 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -36,7 +36,20 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy condition(:request_access_enabled) { @subject.request_access_enabled } condition(:create_projects_disabled, scope: :subject) do - @subject.project_creation_level == ::Gitlab::Access::NO_ONE_PROJECT_ACCESS + next true if @user.nil? + + visibility_levels = if @user.can_admin_all_resources? + # admin can create projects even with restricted visibility levels + Gitlab::VisibilityLevel.values + else + Gitlab::VisibilityLevel.allowed_levels + end + + allowed_visibility_levels = visibility_levels.select do |level| + Project.new(namespace: @subject).visibility_level_allowed?(level) + end + + @subject.project_creation_level == ::Gitlab::Access::NO_ONE_PROJECT_ACCESS || allowed_visibility_levels.empty? end condition(:developer_maintainer_access, scope: :subject) do @@ -85,11 +98,15 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy condition(:crm_enabled, score: 0, scope: :subject) { @subject.crm_enabled? } condition(:create_runner_workflow_enabled) do - Feature.enabled?(:create_runner_workflow) + Feature.enabled?(:create_runner_workflow_for_namespace, group) + end + + condition(:achievements_enabled, scope: :subject) do + Feature.enabled?(:achievements, @subject) end condition(:group_runner_registration_allowed, scope: :subject) do - Gitlab::CurrentSettings.valid_runner_registrars.include?('group') && @subject.runner_registration_enabled? + @subject.runner_registration_enabled? end rule { can?(:read_group) & design_management_enabled }.policy do @@ -131,9 +148,17 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_group_member enable :read_custom_emoji enable :read_counts + end + + rule { achievements_enabled }.policy do enable :read_achievement end + rule { can?(:maintainer_access) & achievements_enabled }.policy do + enable :admin_achievement + enable :award_achievement + end + rule { ~public_group & ~has_access }.prevent :read_counts rule { ~can_read_group_member }.policy do @@ -147,17 +172,16 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy rule { has_access }.enable :read_namespace rule { developer }.policy do - enable :create_metrics_dashboard_annotation - enable :delete_metrics_dashboard_annotation - enable :update_metrics_dashboard_annotation + enable :admin_metrics_dashboard_annotation enable :create_custom_emoji enable :create_package enable :developer_access enable :admin_crm_organization enable :admin_crm_contact - enable :read_cluster - + enable :read_cluster # Deprecated as certificate-based cluster integration (`Clusters::Cluster`). + enable :read_cluster_agent enable :read_group_all_available_runners + enable :use_k8s_proxies end rule { reporter }.policy do @@ -180,6 +204,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :destroy_package enable :admin_package enable :create_projects + enable :import_projects enable :admin_pipeline enable :admin_build enable :add_cluster @@ -191,7 +216,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :maintainer_access enable :read_upload enable :destroy_upload - enable :admin_achievement end rule { owner }.policy do @@ -204,7 +228,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_group_runners enable :admin_group_runners enable :register_group_runners - enable :create_group_runners + enable :create_runner enable :set_note_created_at enable :set_emails_disabled @@ -246,17 +270,25 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy rule { ~can?(:view_globally) }.prevent :request_access rule { has_access }.prevent :request_access - rule { owner & (~share_with_group_locked | ~has_parent | ~parent_share_with_group_locked | can_change_parent_share_with_group_lock) }.enable :change_share_with_group_lock + rule do + owner & (~share_with_group_locked | ~has_parent | ~parent_share_with_group_locked | can_change_parent_share_with_group_lock) + end.enable :change_share_with_group_lock rule { developer & developer_maintainer_access }.enable :create_projects - rule { create_projects_disabled }.prevent :create_projects + rule { create_projects_disabled }.policy do + prevent :create_projects + prevent :import_projects + end rule { owner | admin }.policy do enable :owner_access enable :read_statistics end - rule { maintainer & can?(:create_projects) }.enable :transfer_projects + rule { maintainer & can?(:create_projects) }.policy do + enable :transfer_projects + enable :import_projects + end rule { read_package_registry_deploy_token }.policy do enable :read_package @@ -289,10 +321,12 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy rule { resource_access_token_creation_allowed & can?(:read_resource_access_tokens) }.policy do enable :create_resource_access_tokens + enable :manage_resource_access_tokens end rule { can?(:project_bot_access) }.policy do prevent :create_resource_access_tokens + prevent :manage_resource_access_tokens end rule { can?(:admin_group_member) }.policy do @@ -313,7 +347,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy rule { ~admin & ~group_runner_registration_allowed }.policy do prevent :register_group_runners - prevent :create_group_runners + prevent :create_runner end rule { migration_bot }.policy do @@ -325,8 +359,12 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_observability end + rule { can?(:maintainer_access) & observability_enabled }.policy do + enable :admin_observability + end + rule { ~create_runner_workflow_enabled }.policy do - prevent :create_group_runners + prevent :create_runner end # Should be matched with ProjectPolicy#read_internal_note diff --git a/app/policies/identity_provider_policy.rb b/app/policies/identity_provider_policy.rb index c539fc64d3f..1e748c78555 100644 --- a/app/policies/identity_provider_policy.rb +++ b/app/policies/identity_provider_policy.rb @@ -1,8 +1,8 @@ # frozen_string_literal: true class IdentityProviderPolicy < BasePolicy - desc "Provider is SAML or CAS3" - condition(:protected_provider, scope: :subject, score: 0) { %w(saml cas3).include?(@subject.to_s) } + desc "Provider is SAML" + condition(:protected_provider, scope: :subject, score: 0) { @subject.to_s == 'saml' } rule { anonymous }.prevent_all diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb index 496708a9737..60ab1785972 100644 --- a/app/policies/issuable_policy.rb +++ b/app/policies/issuable_policy.rb @@ -1,10 +1,10 @@ # frozen_string_literal: true class IssuablePolicy < BasePolicy - delegate { @subject.project } + delegate { subject_container } condition(:locked, scope: :subject, score: 0) { @subject.discussion_locked? } - condition(:is_project_member) { @user && @subject.project && @subject.project.team.member?(@user) } + condition(:is_project_member) { subject_container.member?(@user) } condition(:can_read_issuable) { can?(:"read_#{@subject.to_ability_name}") } desc "User is the assignee or author" @@ -14,7 +14,7 @@ class IssuablePolicy < BasePolicy condition(:is_author) { @subject&.author == @user } - condition(:is_incident) { @subject.incident? } + condition(:is_incident) { @subject.incident_type_issue? } desc "Issuable is hidden" condition(:hidden, scope: :subject) { @subject.hidden? } @@ -57,6 +57,10 @@ class IssuablePolicy < BasePolicy enable :read_issuable enable :read_issuable_participables end + + def subject_container + @subject.project || @subject.try(:namespace) + end end IssuablePolicy.prepend_mod_with('IssuablePolicy') diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb index d1e35793c64..538959c92bd 100644 --- a/app/policies/issue_policy.rb +++ b/app/policies/issue_policy.rb @@ -14,8 +14,8 @@ class IssuePolicy < IssuablePolicy desc "Project belongs to a group, crm is enabled and user can read contacts in the root group" condition(:can_read_crm_contacts, scope: :subject) do - subject.project.group&.crm_enabled? && - (@user&.can?(:read_crm_contact, @subject.project.root_ancestor) || @user&.support_bot?) + subject_container&.crm_enabled? && + (@user&.can?(:read_crm_contact, subject_container.root_ancestor) || @user&.support_bot?) end desc "Issue is confidential" @@ -43,6 +43,7 @@ class IssuePolicy < IssuablePolicy rule { confidential & ~can_read_confidential }.policy do prevent(*create_read_update_admin_destroy(:issue)) + prevent(*create_read_update_admin_destroy(:work_item)) prevent :read_issue_iid end @@ -59,6 +60,7 @@ class IssuePolicy < IssuablePolicy rule { ~can?(:read_issue) }.policy do prevent :read_design prevent :create_design + prevent :update_design prevent :destroy_design end diff --git a/app/policies/namespaces/group_project_namespace_shared_policy.rb b/app/policies/namespaces/group_project_namespace_shared_policy.rb index bfb1706bc5a..2214839fb62 100644 --- a/app/policies/namespaces/group_project_namespace_shared_policy.rb +++ b/app/policies/namespaces/group_project_namespace_shared_policy.rb @@ -17,5 +17,16 @@ module Namespaces rule { can?(:reporter_access) }.policy do enable :read_timelog_category end + + rule { can?(:guest_access) }.policy do + enable :create_work_item + enable :read_work_item + enable :read_issue + enable :read_namespace + end + + rule { can?(:create_work_item) }.enable :create_task end end + +Namespaces::GroupProjectNamespaceSharedPolicy.prepend_mod diff --git a/app/policies/namespaces/user_namespace_policy.rb b/app/policies/namespaces/user_namespace_policy.rb index 1deeae8241f..bfed61e72d3 100644 --- a/app/policies/namespaces/user_namespace_policy.rb +++ b/app/policies/namespaces/user_namespace_policy.rb @@ -11,6 +11,7 @@ module Namespaces rule { owner | admin }.policy do enable :owner_access enable :create_projects + enable :import_projects enable :admin_namespace enable :read_namespace enable :read_statistics @@ -20,9 +21,9 @@ module Namespaces enable :edit_billing end - rule { ~can_create_personal_project }.prevent :create_projects + rule { ~can_create_personal_project }.prevent :create_projects, :import_projects - rule { bot_user_namespace }.prevent :create_projects + rule { bot_user_namespace }.prevent :create_projects, :import_projects rule { (owner | admin) & can?(:create_projects) }.enable :transfer_projects end diff --git a/app/policies/project_hook_policy.rb b/app/policies/project_hook_policy.rb index c177fabb1ba..b4590c13670 100644 --- a/app/policies/project_hook_policy.rb +++ b/app/policies/project_hook_policy.rb @@ -1,10 +1,9 @@ # frozen_string_literal: true class ProjectHookPolicy < ::BasePolicy - delegate(:project) + delegate { @subject.project } rule { can?(:admin_project) }.policy do - enable :read_web_hook enable :destroy_web_hook end end diff --git a/app/policies/project_label_policy.rb b/app/policies/project_label_policy.rb index 6656d5990a5..3b125429510 100644 --- a/app/policies/project_label_policy.rb +++ b/app/policies/project_label_policy.rb @@ -1,5 +1,5 @@ # frozen_string_literal: true class ProjectLabelPolicy < BasePolicy - delegate { @subject.parent_container } + delegate { @subject.preloaded_parent_container } end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 3d22002e828..47d8d0eef3e 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -38,6 +38,9 @@ class ProjectPolicy < BasePolicy desc "User is a project bot" condition(:project_bot) { user.project_bot? && team_member? } + desc "User is a security policy bot on the project" + condition(:security_policy_bot) { user&.security_policy_bot? && team_member? } + desc "Project is public" condition(:public_project, scope: :subject, score: 0) { project.public? } @@ -49,6 +52,9 @@ class ProjectPolicy < BasePolicy desc "User is a member of the group" condition(:group_member, scope: :subject) { project_group_member? } + desc "User is a requester of the group" + condition(:group_requester, scope: :subject) { project_group_requester? } + desc "Project is archived" condition(:archived, scope: :subject, score: 0) { project.archived? } @@ -222,8 +228,8 @@ class ProjectPolicy < BasePolicy condition(:"#{f}_disabled", score: 32) { !access_allowed_to?(f.to_sym) } end - condition(:project_runner_registration_allowed) do - Gitlab::CurrentSettings.valid_runner_registrars.include?('project') + condition(:project_runner_registration_allowed, scope: :subject) do + Gitlab::CurrentSettings.valid_runner_registrars.include?('project') && @subject.runner_registration_enabled end condition :registry_enabled do @@ -234,10 +240,16 @@ class ProjectPolicy < BasePolicy Gitlab.config.packages.enabled end + condition :terraform_state_disabled do + !Gitlab.config.terraform_state.enabled + end + condition(:create_runner_workflow_enabled) do - Feature.enabled?(:create_runner_workflow) + Feature.enabled?(:create_runner_workflow_for_namespace, project.namespace) end + condition(:namespace_catalog_available) { namespace_catalog_available? } + # `:read_project` may be prevented in EE, but `:read_project_for_iids` should # not. rule { guest | admin }.enable :read_project_for_iids @@ -274,9 +286,6 @@ class ProjectPolicy < BasePolicy enable :set_show_default_award_emojis enable :set_show_diff_preview_in_email enable :set_warn_about_potentially_unwanted_characters - - enable :register_project_runners - enable :create_project_runners enable :manage_owners end @@ -349,10 +358,10 @@ class ProjectPolicy < BasePolicy enable :metrics_dashboard enable :read_confidential_issues enable :read_package - enable :read_product_analytics enable :read_ci_cd_analytics enable :read_external_emails enable :read_grafana + enable :export_work_items end # We define `:public_user_access` separately because there are cases in gitlab-ee @@ -404,11 +413,15 @@ class ProjectPolicy < BasePolicy end rule { infrastructure_disabled }.policy do - prevent(*create_read_update_admin_destroy(:terraform_state)) prevent(*create_read_update_admin_destroy(:cluster)) prevent(:read_pod_logs) prevent(:read_prometheus) prevent(:admin_project_google_cloud) + prevent(:admin_project_aws) + end + + rule { infrastructure_disabled | terraform_state_disabled }.policy do + prevent(*create_read_update_admin_destroy(:terraform_state)) end rule { can?(:metrics_dashboard) }.policy do @@ -424,10 +437,11 @@ class ProjectPolicy < BasePolicy prevent(*create_read_update_admin_destroy(:package)) end - rule { owner | admin | guest | group_member }.prevent :request_access + rule { owner | admin | guest | group_member | group_requester }.prevent :request_access rule { ~request_access_enabled }.prevent :request_access rule { can?(:developer_access) & can?(:create_issue) }.enable :import_issues + rule { can?(:reporter_access) & can?(:create_work_item) }.enable :import_work_items rule { can?(:developer_access) }.policy do enable :create_package @@ -453,16 +467,17 @@ class ProjectPolicy < BasePolicy enable :destroy_environment enable :create_deployment enable :update_deployment - enable :read_cluster + enable :read_cluster # Deprecated as certificate-based cluster integration (`Clusters::Cluster`). + enable :read_cluster_agent + enable :use_k8s_proxies enable :create_release enable :update_release enable :destroy_release - enable :create_metrics_dashboard_annotation - enable :delete_metrics_dashboard_annotation - enable :update_metrics_dashboard_annotation + enable :admin_metrics_dashboard_annotation enable :read_alert_management_alert enable :update_alert_management_alert enable :create_design + enable :update_design enable :move_design enable :destroy_design enable :read_terraform_state @@ -476,7 +491,6 @@ class ProjectPolicy < BasePolicy enable :update_escalation_status enable :read_secure_files enable :update_sentry_issue - enable :read_airflow_dags end rule { can?(:developer_access) & user_confirmed? }.policy do @@ -527,11 +541,13 @@ class ProjectPolicy < BasePolicy enable :destroy_freeze_period enable :admin_feature_flags_client enable :register_project_runners - enable :create_project_runners + enable :create_runner + enable :admin_project_runners + enable :read_project_runners enable :update_runners_registration_token enable :admin_project_google_cloud + enable :admin_project_aws enable :admin_secure_files - enable :read_web_hooks enable :read_upload enable :destroy_upload enable :admin_incident_management_timeline_event_tag @@ -751,6 +767,7 @@ class ProjectPolicy < BasePolicy prevent :read_design prevent :read_design_activity prevent :create_design + prevent :update_design prevent :destroy_design prevent :move_design end @@ -779,6 +796,7 @@ class ProjectPolicy < BasePolicy rule { write_package_registry_deploy_token }.policy do enable :create_package enable :read_package + enable :destroy_package enable :read_project end @@ -812,6 +830,7 @@ class ProjectPolicy < BasePolicy rule { can?(:admin_project) & resource_access_token_feature_available & resource_access_token_creation_allowed }.policy do enable :create_resource_access_tokens + enable :manage_resource_access_tokens end rule { can?(:admin_project) }.policy do @@ -820,6 +839,7 @@ class ProjectPolicy < BasePolicy rule { can?(:project_bot_access) }.policy do prevent :create_resource_access_tokens + prevent :manage_resource_access_tokens end rule { user_defined_variables_allowed | can?(:maintainer_access) }.policy do @@ -832,7 +852,7 @@ class ProjectPolicy < BasePolicy rule { ~admin & ~project_runner_registration_allowed }.policy do prevent :register_project_runners - prevent :create_project_runners + prevent :create_runner end rule { can?(:admin_project_member) }.policy do @@ -858,12 +878,20 @@ class ProjectPolicy < BasePolicy end rule { ~create_runner_workflow_enabled }.policy do - prevent :create_project_runners + prevent :create_runner end # Should be matched with GroupPolicy#read_internal_note rule { admin | can?(:reporter_access) }.enable :read_internal_note + rule { can?(:developer_access) & namespace_catalog_available }.policy do + enable :read_namespace_catalog + end + + rule { can?(:owner_access) & namespace_catalog_available }.policy do + enable :add_catalog_resource + end + private def user_is_user? @@ -897,16 +925,19 @@ class ProjectPolicy < BasePolicy end end - # rubocop: disable CodeReuse/ActiveRecord def project_group_member? return false if @user.nil? return false unless user_is_user? - project.group && - ( - project.group.members_with_parents.exists?(user_id: @user.id) || - project.group.requesters.exists?(user_id: @user.id) - ) + project.group && project.group.member?(@user) + end + + # rubocop: disable CodeReuse/ActiveRecord + def project_group_requester? + return false if @user.nil? + return false unless user_is_user? + + project.group && project.group.requesters.exists?(user_id: @user.id) end # rubocop: enable CodeReuse/ActiveRecord @@ -957,6 +988,10 @@ class ProjectPolicy < BasePolicy def project @subject end + + def namespace_catalog_available? + false + end end ProjectPolicy.prepend_mod_with('ProjectPolicy') diff --git a/app/policies/project_snippet_policy.rb b/app/policies/project_snippet_policy.rb index b8f0be9b4c5..e11c1a39757 100644 --- a/app/policies/project_snippet_policy.rb +++ b/app/policies/project_snippet_policy.rb @@ -25,10 +25,12 @@ class ProjectSnippetPolicy < BasePolicy # is used to hide/show various snippet-related controls, so we can't just # move all of the handling here. rule do - all?(private_snippet | (internal_snippet & external_user), - ~project.guest, - ~is_author, - ~can?(:read_all_resources)) + all?( + private_snippet | (internal_snippet & external_user), + ~project.guest, + ~is_author, + ~can?(:read_all_resources) + ) end.prevent :read_snippet rule { internal_snippet & ~is_author & ~admin & ~project.maintainer }.policy do diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index ed5b01e52b4..1078eda38e7 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -37,6 +37,7 @@ class UserPolicy < BasePolicy rule { (private_profile | blocked_user | unconfirmed_user) & ~(user_is_self | admin) }.prevent :read_user_profile rule { user_is_self | admin }.enable :disable_two_factor rule { (user_is_self | admin) & ~blocked }.enable :create_user_personal_access_token + rule { (user_is_self | admin) & ~blocked }.enable :manage_user_personal_access_token rule { (user_is_self | admin) & ~blocked }.enable :get_user_associations_count end |