Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app/policies
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2020-12-17 14:59:07 +0300
committerGitLab Bot <gitlab-bot@gitlab.com>2020-12-17 14:59:07 +0300
commit8b573c94895dc0ac0e1d9d59cf3e8745e8b539ca (patch)
tree544930fb309b30317ae9797a9683768705d664c4 /app/policies
parent4b1de649d0168371549608993deac953eb692019 (diff)
Add latest changes from gitlab-org/gitlab@13-7-stable-eev13.7.0-rc42
Diffstat (limited to 'app/policies')
-rw-r--r--app/policies/base_policy.rb4
-rw-r--r--app/policies/ci/build_policy.rb15
-rw-r--r--app/policies/concerns/policy_actor.rb4
-rw-r--r--app/policies/global_policy.rb3
-rw-r--r--app/policies/group_policy.rb5
-rw-r--r--app/policies/issuable_policy.rb2
-rw-r--r--app/policies/namespace_policy.rb1
-rw-r--r--app/policies/project_ci_cd_setting_policy.rb5
-rw-r--r--app/policies/project_policy.rb27
-rw-r--r--app/policies/timebox_policy.rb10
-rw-r--r--app/policies/user_policy.rb5
11 files changed, 78 insertions, 3 deletions
diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb
index 580a348b408..51694ec7c50 100644
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -25,6 +25,10 @@ class BasePolicy < DeclarativePolicy::Base
with_options scope: :user, score: 0
condition(:support_bot) { @user&.support_bot? }
+ desc "User is security bot"
+ with_options scope: :user, score: 0
+ condition(:security_bot) { @user&.security_bot? }
+
desc "User email is unconfirmed or user account is locked"
with_options scope: :user, score: 0
condition(:inactive) { @user&.confirmation_required_on_sign_in? || @user&.access_locked? }
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index 3efc07421e4..7e69e1fdd88 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -45,6 +45,21 @@ module Ci
@subject.pipeline.webide?
end
+ condition(:debug_mode, scope: :subject, score: 32) do
+ @subject.debug_mode?
+ end
+
+ condition(:project_read_build, scope: :subject) do
+ can?(:read_build, @subject.project)
+ end
+
+ condition(:project_update_build, scope: :subject) do
+ can?(:update_build, @subject.project)
+ end
+
+ rule { project_read_build }.enable :read_build_trace
+ rule { debug_mode & ~project_update_build }.prevent :read_build_trace
+
rule { ~protected_environment_access & (protected_ref | archived) }.policy do
prevent :update_build
prevent :update_commit_status
diff --git a/app/policies/concerns/policy_actor.rb b/app/policies/concerns/policy_actor.rb
index 7eca6f4c6c8..75849fb10c8 100644
--- a/app/policies/concerns/policy_actor.rb
+++ b/app/policies/concerns/policy_actor.rb
@@ -49,6 +49,10 @@ module PolicyActor
false
end
+ def security_bot?
+ false
+ end
+
def deactivated?
false
end
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index c1ea4dddb51..b5c1ec0181e 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -48,7 +48,7 @@ class GlobalPolicy < BasePolicy
prevent :use_slash_commands
end
- rule { blocked | (internal & ~migration_bot) }.policy do
+ rule { blocked | (internal & ~migration_bot & ~security_bot) }.policy do
prevent :access_git
end
@@ -99,6 +99,7 @@ class GlobalPolicy < BasePolicy
enable :read_custom_attribute
enable :update_custom_attribute
enable :approve_user
+ enable :reject_user
end
# We can't use `read_statistics` because the user may have different permissions for different projects
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 231843c5f23..7d0db222eaf 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -185,7 +185,10 @@ class GroupPolicy < BasePolicy
rule { developer & developer_maintainer_access }.enable :create_projects
rule { create_projects_disabled }.prevent :create_projects
- rule { owner | admin }.enable :read_statistics
+ rule { owner | admin }.policy do
+ enable :owner_access
+ enable :read_statistics
+ end
rule { maintainer & can?(:create_projects) }.enable :transfer_projects
diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb
index 5cfbcfec5c0..f49a6ee8498 100644
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -27,3 +27,5 @@ class IssuablePolicy < BasePolicy
prevent :award_emoji
end
end
+
+IssuablePolicy.prepend_if_ee('EE::IssuablePolicy')
diff --git a/app/policies/namespace_policy.rb b/app/policies/namespace_policy.rb
index aa87442cadd..b1d680b4264 100644
--- a/app/policies/namespace_policy.rb
+++ b/app/policies/namespace_policy.rb
@@ -8,6 +8,7 @@ class NamespacePolicy < BasePolicy
condition(:owner) { @subject.owner == @user }
rule { owner | admin }.policy do
+ enable :owner_access
enable :create_projects
enable :admin_namespace
enable :read_namespace
diff --git a/app/policies/project_ci_cd_setting_policy.rb b/app/policies/project_ci_cd_setting_policy.rb
new file mode 100644
index 00000000000..a22b790415b
--- /dev/null
+++ b/app/policies/project_ci_cd_setting_policy.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class ProjectCiCdSettingPolicy < BasePolicy
+ delegate { @subject.project }
+end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 13073ed68a1..403fb34803e 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -135,6 +135,10 @@ class ProjectPolicy < BasePolicy
::Feature.enabled?(:build_service_proxy, @subject)
end
+ condition(:project_bot_is_member) do
+ user.project_bot? & team_member?
+ end
+
with_scope :subject
condition(:packages_disabled) { !@subject.packages_enabled }
@@ -147,6 +151,8 @@ class ProjectPolicy < BasePolicy
builds
pages
metrics_dashboard
+ analytics
+ operations
]
features.each do |f|
@@ -211,6 +217,7 @@ class ProjectPolicy < BasePolicy
enable :award_emoji
enable :read_pages_content
enable :read_release
+ enable :read_analytics
end
# These abilities are not allowed to admins that are not members of the project,
@@ -272,6 +279,19 @@ class ProjectPolicy < BasePolicy
prevent(:metrics_dashboard)
end
+ rule { operations_disabled }.policy do
+ prevent(*create_read_update_admin_destroy(:feature_flag))
+ prevent(*create_read_update_admin_destroy(:environment))
+ prevent(*create_read_update_admin_destroy(:sentry_issue))
+ prevent(*create_read_update_admin_destroy(:alert_management_alert))
+ prevent(*create_read_update_admin_destroy(:cluster))
+ prevent(*create_read_update_admin_destroy(:terraform_state))
+ prevent(*create_read_update_admin_destroy(:deployment))
+ prevent(:metrics_dashboard)
+ prevent(:read_pod_logs)
+ prevent(:read_prometheus)
+ end
+
rule { can?(:metrics_dashboard) }.policy do
enable :read_prometheus
enable :read_deployment
@@ -424,6 +444,10 @@ class ProjectPolicy < BasePolicy
prevent(*create_read_update_admin_destroy(:snippet))
end
+ rule { analytics_disabled }.policy do
+ prevent(:read_analytics)
+ end
+
rule { wiki_disabled }.policy do
prevent(*create_read_update_admin_destroy(:wiki))
prevent(:download_wiki_code)
@@ -494,6 +518,7 @@ class ProjectPolicy < BasePolicy
enable :download_wiki_code
enable :read_cycle_analytics
enable :read_pages_content
+ enable :read_analytics
# NOTE: may be overridden by IssuePolicy
enable :read_issue
@@ -594,6 +619,8 @@ class ProjectPolicy < BasePolicy
enable :admin_resource_access_tokens
end
+ rule { project_bot_is_member & ~blocked }.enable :bot_log_in
+
private
def user_is_user?
diff --git a/app/policies/timebox_policy.rb b/app/policies/timebox_policy.rb
new file mode 100644
index 00000000000..03a1acb9358
--- /dev/null
+++ b/app/policies/timebox_policy.rb
@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+class TimeboxPolicy < BasePolicy
+ # stub permissions policy on None, Any, Upcoming, Started and Current timeboxes
+
+ rule { default }.policy do
+ enable :read_iteration
+ enable :read_milestone
+ end
+end
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
index 70e8fb32064..48c2bd3f0bd 100644
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -13,6 +13,9 @@ class UserPolicy < BasePolicy
desc "The user is blocked"
condition(:blocked_user, scope: :subject, score: 0) { @subject.blocked? }
+ desc "The user is unconfirmed"
+ condition(:unconfirmed_user, scope: :subject, score: 0) { !@subject.confirmed? }
+
rule { ~restricted_public_level }.enable :read_user
rule { ~anonymous }.enable :read_user
@@ -25,7 +28,7 @@ class UserPolicy < BasePolicy
end
rule { default }.enable :read_user_profile
- rule { (private_profile | blocked_user) & ~(user_is_self | admin) }.prevent :read_user_profile
+ rule { (private_profile | blocked_user | unconfirmed_user) & ~(user_is_self | admin) }.prevent :read_user_profile
rule { user_is_self | admin }.enable :disable_two_factor
rule { (user_is_self | admin) & ~blocked }.enable :create_user_personal_access_token
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-14 08:37:43 +0300