Add latest changes from gitlab-org/gitlab@14-1-stable-eev14.1.0-rc42

4 files changed, 36 insertions, 7 deletions

diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index ba06b98e906..0b0edc7c452 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -156,6 +156,7 @@ class GroupPolicy < BasePolicy
     enable :set_note_created_at
     enable :set_emails_disabled
     enable :change_prevent_sharing_groups_outside_hierarchy
+    enable :change_new_user_signups_cap
     enable :update_default_branch_protection
     enable :create_deploy_token
     enable :destroy_deploy_token
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 3cb4644a60d..85547834a2e 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -51,11 +51,12 @@ class ProjectPolicy < BasePolicy
 
   desc "Container registry is disabled"
   condition(:container_registry_disabled, scope: :subject) do
-    if ::Feature.enabled?(:read_container_registry_access_level, @subject&.namespace, default_enabled: :yaml)
-      !access_allowed_to?(:container_registry)
-    else
-      !project.container_registry_enabled
-    end
+    !access_allowed_to?(:container_registry)
+  end
+
+  desc "Container registry is enabled for everyone with access to the project"
+  condition(:container_registry_enabled_for_everyone_with_access, scope: :subject) do
+    project.container_registry_access_level == ProjectFeature::ENABLED
   end
 
   desc "Project has an external wiki"
@@ -158,6 +159,10 @@ class ProjectPolicy < BasePolicy
     ::Feature.enabled?(:build_service_proxy, @subject)
   end
 
+  condition(:respect_protected_tag_for_release_permissions) do
+    ::Feature.enabled?(:evalute_protected_tag_for_release_permissions, @subject, default_enabled: :yaml)
+  end
+
   condition(:user_defined_variables_allowed) do
     !@subject.restrict_user_defined_variables?
   end
@@ -297,10 +302,13 @@ class ProjectPolicy < BasePolicy
     enable :guest_access
 
     enable :build_download_code
-    enable :build_read_container_image
     enable :request_access
   end
 
+  rule { container_registry_enabled_for_everyone_with_access & can?(:public_user_access) }.policy do
+    enable :build_read_container_image
+  end
+
   rule { (can?(:public_user_access) | can?(:reporter_access)) & forking_allowed }.policy do
     enable :fork_project
   end
@@ -649,6 +657,10 @@ class ProjectPolicy < BasePolicy
 
   rule { build_service_proxy_enabled }.enable :build_service_proxy_enabled
 
+  rule { respect_protected_tag_for_release_permissions & can?(:developer_access) }.policy do
+    enable :destroy_release
+  end
+
   rule { can?(:download_code) }.policy do
     enable :read_repository_graphs
   end
diff --git a/app/policies/release_policy.rb b/app/policies/release_policy.rb
index d7f9e5d7445..bff80d83bef 100644
--- a/app/policies/release_policy.rb
+++ b/app/policies/release_policy.rb
@@ -2,4 +2,20 @@
 
 class ReleasePolicy < BasePolicy
   delegate { @subject.project }
+
+  condition(:protected_tag) do
+    access = ::Gitlab::UserAccess.new(@user, container: @subject.project)
+
+    !access.can_create_tag?(@subject.tag)
+  end
+
+  condition(:respect_protected_tag) do
+    ::Feature.enabled?(:evalute_protected_tag_for_release_permissions, @subject.project, default_enabled: :yaml)
+  end
+
+  rule { respect_protected_tag & protected_tag }.policy do
+    prevent :create_release
+    prevent :update_release
+    prevent :destroy_release
+  end
 end
diff --git a/app/policies/releases/link_policy.rb b/app/policies/releases/link_policy.rb
index 4a662fafb2f..67a94733c7d 100644
--- a/app/policies/releases/link_policy.rb
+++ b/app/policies/releases/link_policy.rb
@@ -2,6 +2,6 @@
 
 module Releases
   class LinkPolicy < BasePolicy
-    delegate { @subject.release.project }
+    delegate { @subject.release }
   end
 end