Add latest changes from gitlab-org/gitlab@13-4-stable-ee

8 files changed, 27 insertions, 15 deletions

diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index cc66ad0577d..b3950c6a0e3 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -20,6 +20,11 @@ module Ci
       end
     end
 
+    # overridden in EE
+    condition(:protected_environment_access) do
+      false
+    end
+
     condition(:owner_of_job) do
       @subject.triggered_by?(@user)
     end
@@ -40,7 +45,7 @@ module Ci
       @subject.pipeline.webide?
     end
 
-    rule { protected_ref | archived }.policy do
+    rule { ~protected_environment_access & (protected_ref | archived) }.policy do
       prevent :update_build
       prevent :update_commit_status
       prevent :erase_build
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index c66f0d199b0..de69636b078 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -15,14 +15,9 @@ class GlobalPolicy < BasePolicy
     @user&.required_terms_not_accepted?
   end
 
-  condition(:private_instance_statistics, score: 0) { Gitlab::CurrentSettings.instance_statistics_visibility_private? }
-
   condition(:project_bot, scope: :user) { @user&.project_bot? }
   condition(:migration_bot, scope: :user) { @user&.migration_bot? }
 
-  rule { admin | (~private_instance_statistics & ~anonymous) }
-    .enable :read_instance_statistics
-
   rule { anonymous }.policy do
     prevent :log_in
     prevent :receive_notifications
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 3cc1be9dfb7..c98e82efef7 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -80,6 +80,7 @@ class GroupPolicy < BasePolicy
     enable :read_list
     enable :read_label
     enable :read_board
+    enable :read_group_member
   end
 
   rule { ~can?(:read_group) }.policy do
@@ -116,6 +117,7 @@ class GroupPolicy < BasePolicy
     enable :update_cluster
     enable :admin_cluster
     enable :read_deploy_token
+    enable :create_jira_connect_subscription
   end
 
   rule { owner }.policy do
diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb
index 537319addc2..5cfbcfec5c0 100644
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -24,5 +24,6 @@ class IssuablePolicy < BasePolicy
     prevent :create_note
     prevent :admin_note
     prevent :resolve_note
+    prevent :award_emoji
   end
 end
diff --git a/app/policies/namespace_policy.rb b/app/policies/namespace_policy.rb
index 350dd208499..aa87442cadd 100644
--- a/app/policies/namespace_policy.rb
+++ b/app/policies/namespace_policy.rb
@@ -12,6 +12,7 @@ class NamespacePolicy < BasePolicy
     enable :admin_namespace
     enable :read_namespace
     enable :read_statistics
+    enable :create_jira_connect_subscription
   end
 
   rule { personal_project & ~can_create_personal_project }.prevent :create_projects
diff --git a/app/policies/operations/feature_flag_policy.rb b/app/policies/operations/feature_flag_policy.rb
new file mode 100644
index 00000000000..e2f4781d07c
--- /dev/null
+++ b/app/policies/operations/feature_flag_policy.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Operations
+  class FeatureFlagPolicy < BasePolicy
+    delegate { @subject.project }
+  end
+end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index b2432bfa608..87ee7d201e4 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -102,11 +102,6 @@ class ProjectPolicy < BasePolicy
   end
 
   with_scope :subject
-  condition(:moving_designs_disabled) do
-    !::Feature.enabled?(:reorder_designs, @subject, default_enabled: true)
-  end
-
-  with_scope :subject
   condition(:service_desk_enabled) { @subject.service_desk_enabled? }
 
   # We aren't checking `:read_issue` or `:read_merge_request` in this case
@@ -330,6 +325,12 @@ class ProjectPolicy < BasePolicy
     enable :destroy_design
     enable :read_terraform_state
     enable :read_pod_logs
+    enable :read_feature_flag
+    enable :create_feature_flag
+    enable :update_feature_flag
+    enable :destroy_feature_flag
+    enable :admin_feature_flag
+    enable :admin_feature_flags_user_lists
   end
 
   rule { can?(:developer_access) & user_confirmed? }.policy do
@@ -376,6 +377,7 @@ class ProjectPolicy < BasePolicy
     enable :read_freeze_period
     enable :update_freeze_period
     enable :destroy_freeze_period
+    enable :admin_feature_flags_client
   end
 
   rule { public_project & metrics_dashboard_allowed }.policy do
@@ -452,6 +454,8 @@ class ProjectPolicy < BasePolicy
     prevent :read_pipeline
     prevent :read_pipeline_schedule
     prevent(*create_read_update_admin_destroy(:release))
+    prevent(*create_read_update_admin_destroy(:feature_flag))
+    prevent(:admin_feature_flags_user_lists)
   end
 
   rule { container_registry_disabled }.policy do
@@ -557,10 +561,6 @@ class ProjectPolicy < BasePolicy
     prevent :move_design
   end
 
-  rule { moving_designs_disabled }.policy do
-    prevent :move_design
-  end
-
   rule { read_package_registry_deploy_token }.policy do
     enable :read_package
     enable :read_project
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
index 6ebafca9885..c9dfa98b285 100644
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -25,6 +25,7 @@ class UserPolicy < BasePolicy
 
   rule { default }.enable :read_user_profile
   rule { (private_profile | blocked_user) & ~(user_is_self | admin) }.prevent :read_user_profile
+  rule { user_is_self | admin }.enable :disable_two_factor
 end
 
 UserPolicy.prepend_if_ee('EE::UserPolicy')