diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-08-18 13:50:51 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-08-18 13:50:51 +0300 |
commit | db384e6b19af03b4c3c82a5760d83a3fd79f7982 (patch) | |
tree | 34beaef37df5f47ccbcf5729d7583aae093cffa0 /app/policies | |
parent | 54fd7b1bad233e3944434da91d257fa7f63c3996 (diff) |
Add latest changes from gitlab-org/gitlab@16-3-stable-eev16.3.0-rc42
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/admin/abuse_report_label_policy.rb | 9 | ||||
-rw-r--r-- | app/policies/ci/bridge_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/ci/build_policy.rb | 26 | ||||
-rw-r--r-- | app/policies/ci/deployable_policy.rb | 17 | ||||
-rw-r--r-- | app/policies/concerns/find_group_projects.rb | 4 | ||||
-rw-r--r-- | app/policies/deploy_key_policy.rb | 10 | ||||
-rw-r--r-- | app/policies/group_policy.rb | 4 | ||||
-rw-r--r-- | app/policies/organizations/organization_policy.rb | 14 | ||||
-rw-r--r-- | app/policies/packages/policies/project_policy.rb | 3 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 8 | ||||
-rw-r--r-- | app/policies/work_item_policy.rb | 5 |
11 files changed, 78 insertions, 24 deletions
diff --git a/app/policies/admin/abuse_report_label_policy.rb b/app/policies/admin/abuse_report_label_policy.rb new file mode 100644 index 00000000000..69c877c90b3 --- /dev/null +++ b/app/policies/admin/abuse_report_label_policy.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +module Admin + class AbuseReportLabelPolicy < ::BasePolicy + rule { admin }.policy do + enable :read_label + end + end +end diff --git a/app/policies/ci/bridge_policy.rb b/app/policies/ci/bridge_policy.rb index 37a07ea8aaf..5f9e8eab08a 100644 --- a/app/policies/ci/bridge_policy.rb +++ b/app/policies/ci/bridge_policy.rb @@ -2,6 +2,8 @@ module Ci class BridgePolicy < CommitStatusPolicy + include Ci::DeployablePolicy + condition(:can_update_downstream_branch) do ::Gitlab::UserAccess.new(@user, container: @subject.downstream_project) .can_update_branch?(@subject.target_revision_ref) diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index 73e4cbee54a..bce7ceafe17 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -2,6 +2,8 @@ module Ci class BuildPolicy < CommitStatusPolicy + include Ci::DeployablePolicy + delegate { @subject.project } condition(:protected_ref) do @@ -22,15 +24,6 @@ module Ci end end - # overridden in EE - condition(:protected_environment) do - false - end - - condition(:outdated_deployment) do - @subject.outdated_deployment? - end - condition(:owner_of_job) do @subject.triggered_by?(@user) end @@ -73,21 +66,24 @@ module Ci # Use admin_ci_minutes for detailed quota and usage reporting # this is limited to total usage and total quota for a builds namespace - rule { can_read_project_build }.enable :read_ci_minutes_limited_summary + rule { can_read_project_build }.policy do + enable :read_ci_minutes_limited_summary + enable :read_build_trace + end - rule { can_read_project_build }.enable :read_build_trace rule { debug_mode & ~project_update_build }.prevent :read_build_trace # Authorizing the user to access to protected entities. # There is a "jailbreak" mode to exceptionally bypass the authorization, # however, you should NEVER allow it, rather suspect it's a wrong feature/product design. - rule { ~can?(:jailbreak) & (archived | (protected_ref & ~admin) | protected_environment) }.policy do - prevent :update_build + rule { ~can?(:jailbreak) & (archived | (protected_ref & ~admin)) }.policy do prevent :update_commit_status - prevent :erase_build end - rule { outdated_deployment }.prevent :update_build + rule { ~can?(:jailbreak) & (archived | protected_ref) }.policy do + prevent :update_build + prevent :erase_build + end rule { can?(:admin_build) | (can?(:update_build) & owner_of_job & unprotected_ref) }.enable :erase_build diff --git a/app/policies/ci/deployable_policy.rb b/app/policies/ci/deployable_policy.rb new file mode 100644 index 00000000000..f0105b001f2 --- /dev/null +++ b/app/policies/ci/deployable_policy.rb @@ -0,0 +1,17 @@ +# frozen_string_literal: true + +module Ci + module DeployablePolicy + extend ActiveSupport::Concern + + included do + prepend_mod_with('Ci::DeployablePolicy') # rubocop: disable Cop/InjectEnterpriseEditionModule + + condition(:outdated_deployment) do + @subject.outdated_deployment? + end + + rule { outdated_deployment }.prevent :update_build + end + end +end diff --git a/app/policies/concerns/find_group_projects.rb b/app/policies/concerns/find_group_projects.rb index aad9081bd7d..914e336b4ab 100644 --- a/app/policies/concerns/find_group_projects.rb +++ b/app/policies/concerns/find_group_projects.rb @@ -3,11 +3,11 @@ module FindGroupProjects extend ActiveSupport::Concern - def group_projects_for(user:, group:, only_owned: true) + def group_projects_for(user:, group:, exclude_shared: true) GroupProjectsFinder.new( group: group, current_user: user, - options: { include_subgroups: true, only_owned: only_owned } + options: { include_subgroups: true, exclude_shared: exclude_shared } ).execute end end diff --git a/app/policies/deploy_key_policy.rb b/app/policies/deploy_key_policy.rb index b117bb57921..ccf1bda26bb 100644 --- a/app/policies/deploy_key_policy.rb +++ b/app/policies/deploy_key_policy.rb @@ -3,10 +3,14 @@ class DeployKeyPolicy < BasePolicy with_options scope: :subject, score: 0 condition(:private_deploy_key) { @subject.private? } + condition(:public_deploy_key) { @subject.public? } condition(:has_deploy_key) { @user.project_deploy_keys.any? { |pdk| pdk.id.eql?(@subject.id) } } rule { anonymous }.prevent_all - - rule { admin }.enable :update_deploy_key - rule { private_deploy_key & has_deploy_key }.enable :update_deploy_key + rule { public_deploy_key | admin | has_deploy_key }.policy do + enable :read_deploy_key + end + rule { admin | (private_deploy_key & has_deploy_key) }.policy do + enable :update_deploy_key + end end diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 29b966b43e2..c50f74f2b35 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -61,7 +61,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy end condition(:design_management_enabled) do - group_projects_for(user: @user, group: @subject, only_owned: false).any? { |p| p.design_management_enabled? } + group_projects_for(user: @user, group: @subject, exclude_shared: false).any? { |p| p.design_management_enabled? } end condition(:dependency_proxy_available, scope: :subject) do @@ -148,6 +148,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_group_member enable :read_custom_emoji enable :read_counts + enable :read_issue end rule { achievements_enabled }.policy do @@ -230,7 +231,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_usage_quotas enable :read_group_runners - enable :admin_group_runners enable :register_group_runners enable :create_runner diff --git a/app/policies/organizations/organization_policy.rb b/app/policies/organizations/organization_policy.rb index cac8d07811d..1c0d996c7d4 100644 --- a/app/policies/organizations/organization_policy.rb +++ b/app/policies/organizations/organization_policy.rb @@ -2,8 +2,22 @@ module Organizations class OrganizationPolicy < BasePolicy + condition(:organization_user) { @subject.user?(@user) } + + desc 'Organization is public' + condition(:public_organization, scope: :subject, score: 0) { true } + + rule { public_organization }.policy do + enable :read_organization + end + rule { admin }.policy do enable :admin_organization + enable :read_organization + end + + rule { organization_user }.policy do + enable :read_organization end end end diff --git a/app/policies/packages/policies/project_policy.rb b/app/policies/packages/policies/project_policy.rb index 35161fd95f1..deb6d13dd14 100644 --- a/app/policies/packages/policies/project_policy.rb +++ b/app/policies/packages/policies/project_policy.rb @@ -8,7 +8,8 @@ module Packages overrides(:read_package) condition(:packages_enabled_for_everyone, scope: :subject) do - @subject.package_registry_access_level == ProjectFeature::PUBLIC + @subject.package_registry_access_level == ProjectFeature::PUBLIC && + Gitlab::CurrentSettings.package_registry_allow_anyone_to_pull_option end rule { project.packages_disabled }.policy do diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index ad6155258ab..564215f6e50 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -44,6 +44,9 @@ class ProjectPolicy < BasePolicy desc "Project is public" condition(:public_project, scope: :subject, score: 0) { project.public? } + desc "project is private" + condition(:private_project, scope: :subject, score: 0) { project.private? } + desc "Project is visible to internal users" condition(:internal_access) do project.internal? && !user.external? @@ -55,6 +58,9 @@ class ProjectPolicy < BasePolicy desc "User is a requester of the group" condition(:group_requester, scope: :subject) { project_group_requester? } + desc "User is external" + condition(:external_user) { user.external? } + desc "Project is archived" condition(:archived, scope: :subject, score: 0) { project.archived? } @@ -913,6 +919,8 @@ class ProjectPolicy < BasePolicy prevent :read_project end + rule { ~private_project & guest & external_user }.enable :read_container_image + private def user_is_user? diff --git a/app/policies/work_item_policy.rb b/app/policies/work_item_policy.rb index 1ccc152bc6b..23b1d54b3bf 100644 --- a/app/policies/work_item_policy.rb +++ b/app/policies/work_item_policy.rb @@ -1,13 +1,14 @@ # frozen_string_literal: true class WorkItemPolicy < IssuePolicy + condition(:is_member) { is_project_member? } condition(:is_member_and_author) { is_project_member? & is_author? } rule { can?(:admin_issue) }.enable :admin_work_item - rule { can?(:destroy_issue) | is_member_and_author }.enable :delete_work_item rule { can?(:update_issue) }.enable :update_work_item + rule { can?(:set_issue_metadata) }.enable :set_work_item_metadata rule { can?(:read_issue) }.enable :read_work_item @@ -20,4 +21,6 @@ class WorkItemPolicy < IssuePolicy rule { can?(:reporter_access) }.policy do enable :admin_parent_link end + + rule { is_member & can?(:read_work_item) }.enable :admin_work_item_link end |