Add latest changes from gitlab-org/gitlab@13-5-stable-eev13.5.0-rc42

10 files changed, 79 insertions, 15 deletions

diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb
index 13d732e4edd..1c93073025d 100644
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -27,10 +27,7 @@ class BasePolicy < DeclarativePolicy::Base
 
   desc "User email is unconfirmed or user account is locked"
   with_options scope: :user, score: 0
-  condition(:inactive) do
-    Feature.enabled?(:inactive_policy_condition, default_enabled: true) &&
-      @user&.confirmation_required_on_sign_in? || @user&.access_locked?
-  end
+  condition(:inactive) { @user&.confirmation_required_on_sign_in? || @user&.access_locked? }
 
   with_options scope: :user, score: 0
   condition(:external_user) { @user.nil? || @user.external? }
diff --git a/app/policies/ci/bridge_policy.rb b/app/policies/ci/bridge_policy.rb
new file mode 100644
index 00000000000..37a07ea8aaf
--- /dev/null
+++ b/app/policies/ci/bridge_policy.rb
@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module Ci
+  class BridgePolicy < CommitStatusPolicy
+    condition(:can_update_downstream_branch) do
+      ::Gitlab::UserAccess.new(@user, container: @subject.downstream_project)
+                          .can_update_branch?(@subject.target_revision_ref)
+    end
+
+    rule { can_update_downstream_branch }.enable :play_job
+  end
+end
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index b3950c6a0e3..3efc07421e4 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -60,6 +60,8 @@ module Ci
 
     rule { can?(:update_build) & terminal }.enable :create_build_terminal
 
+    rule { can?(:update_build) }.enable :play_job
+
     rule { is_web_ide_terminal & can?(:create_web_ide_terminal) & (admin | owner_of_job) }.policy do
       enable :read_web_ide_terminal
       enable :update_web_ide_terminal
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index de69636b078..c1ea4dddb51 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -98,6 +98,7 @@ class GlobalPolicy < BasePolicy
   rule { admin }.policy do
     enable :read_custom_attribute
     enable :update_custom_attribute
+    enable :approve_user
   end
 
   # We can't use `read_statistics` because the user may have different permissions for different projects
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index c98e82efef7..f9ec026a6d2 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -46,6 +46,19 @@ class GroupPolicy < BasePolicy
     group_projects_for(user: @user, group: @subject, only_owned: false).any? { |p| p.design_management_enabled? }
   end
 
+  desc "Deploy token with read_package_registry scope"
+  condition(:read_package_registry_deploy_token) do
+    @user.is_a?(DeployToken) && @user.groups.include?(@subject) && @user.read_package_registry
+  end
+
+  desc "Deploy token with write_package_registry scope"
+  condition(:write_package_registry_deploy_token) do
+    @user.is_a?(DeployToken) && @user.groups.include?(@subject) && @user.write_package_registry
+  end
+
+  with_scope :subject
+  condition(:resource_access_token_available) { resource_access_token_available? }
+
   rule { design_management_enabled }.policy do
     enable :read_design_activity
   end
@@ -91,7 +104,6 @@ class GroupPolicy < BasePolicy
 
   rule { developer }.policy do
     enable :admin_milestone
-    enable :read_package
     enable :create_metrics_dashboard_annotation
     enable :delete_metrics_dashboard_annotation
     enable :update_metrics_dashboard_annotation
@@ -105,6 +117,7 @@ class GroupPolicy < BasePolicy
     enable :admin_issue
     enable :read_metrics_dashboard_annotation
     enable :read_prometheus
+    enable :read_package
   end
 
   rule { maintainer }.policy do
@@ -167,6 +180,20 @@ class GroupPolicy < BasePolicy
 
   rule { maintainer & can?(:create_projects) }.enable :transfer_projects
 
+  rule { read_package_registry_deploy_token }.policy do
+    enable :read_package
+    enable :read_group
+  end
+
+  rule { write_package_registry_deploy_token }.policy do
+    enable :create_package
+    enable :read_group
+  end
+
+  rule { resource_access_token_available & can?(:admin_group) }.policy do
+    enable :admin_resource_access_tokens
+  end
+
   def access_level
     return GroupMember::NO_ACCESS if @user.nil?
     return GroupMember::NO_ACCESS unless user_is_user?
@@ -183,6 +210,14 @@ class GroupPolicy < BasePolicy
   def user_is_user?
     user.is_a?(User)
   end
+
+  def group
+    @subject
+  end
+
+  def resource_access_token_available?
+    true
+  end
 end
 
 GroupPolicy.prepend_if_ee('EE::GroupPolicy')
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index b02bb8621ed..44c448eb601 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -15,9 +15,6 @@ class IssuePolicy < IssuablePolicy
   desc "Issue is confidential"
   condition(:confidential, scope: :subject) { @subject.confidential? }
 
-  desc "Issue has moved"
-  condition(:moved) { @subject.moved? }
-
   rule { confidential & ~can_read_confidential }.policy do
     prevent(*create_read_update_admin_destroy(:issue))
     prevent :read_issue_iid
@@ -38,12 +35,6 @@ class IssuePolicy < IssuablePolicy
   rule { ~can?(:read_design) }.policy do
     prevent :move_design
   end
-
-  rule { locked | moved }.policy do
-    prevent :create_design
-    prevent :move_design
-    prevent :destroy_design
-  end
 end
 
 IssuePolicy.prepend_if_ee('EE::IssuePolicy')
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 87ee7d201e4..59e2d617bf7 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -104,6 +104,9 @@ class ProjectPolicy < BasePolicy
   with_scope :subject
   condition(:service_desk_enabled) { @subject.service_desk_enabled? }
 
+  with_scope :subject
+  condition(:resource_access_token_available) { resource_access_token_available? }
+
   # We aren't checking `:read_issue` or `:read_merge_request` in this case
   # because it could be possible for a user to see an issuable-iid
   # (`:read_issue_iid` or `:read_merge_request_iid`) but then wouldn't be
@@ -237,7 +240,6 @@ class ProjectPolicy < BasePolicy
     enable :read_merge_request
     enable :read_sentry_issue
     enable :update_sentry_issue
-    enable :read_incidents
     enable :read_prometheus
     enable :read_metrics_dashboard_annotation
     enable :metrics_dashboard
@@ -589,6 +591,10 @@ class ProjectPolicy < BasePolicy
     prevent :read_project
   end
 
+  rule { resource_access_token_available & can?(:admin_project) }.policy do
+    enable :admin_resource_access_tokens
+  end
+
   private
 
   def user_is_user?
@@ -663,6 +669,10 @@ class ProjectPolicy < BasePolicy
     end
   end
 
+  def resource_access_token_available?
+    true
+  end
+
   def project
     @subject
   end
diff --git a/app/policies/releases/evidence_policy.rb b/app/policies/releases/evidence_policy.rb
index 701913e6fe4..3e35f2f5e87 100644
--- a/app/policies/releases/evidence_policy.rb
+++ b/app/policies/releases/evidence_policy.rb
@@ -15,6 +15,7 @@ module Releases
     # - Project
     # - Milestones
     # - Issues
+    # TODO: remove issues from this check: https://gitlab.com/gitlab-org/gitlab/-/issues/259674
     condition(:allowed_to_read_evidence) do
       can?(:read_release) &&
         can?(:download_code) &&
diff --git a/app/policies/terraform/state_policy.rb b/app/policies/terraform/state_policy.rb
new file mode 100644
index 00000000000..ba6109e5975
--- /dev/null
+++ b/app/policies/terraform/state_policy.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Terraform
+  class StatePolicy < BasePolicy
+    alias_method :terraform_state, :subject
+
+    delegate { terraform_state.project }
+  end
+end
diff --git a/app/policies/wiki_policy.rb b/app/policies/wiki_policy.rb
new file mode 100644
index 00000000000..a551439d0d4
--- /dev/null
+++ b/app/policies/wiki_policy.rb
@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+
+class WikiPolicy < ::BasePolicy
+  # Wiki policies are delegated to their container objects (Project or Group)
+  delegate { subject.container }
+end