Add latest changes from gitlab-org/gitlab@13-3-stable-ee

13 files changed, 125 insertions, 38 deletions

diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index 0879a740f8a..cc66ad0577d 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -3,7 +3,7 @@
 module Ci
   class BuildPolicy < CommitStatusPolicy
     condition(:protected_ref) do
-      access = ::Gitlab::UserAccess.new(@user, project: @subject.project)
+      access = ::Gitlab::UserAccess.new(@user, container: @subject.project)
 
       if @subject.tag?
         !access.can_create_tag?(@subject.ref)
diff --git a/app/policies/ci/pipeline_policy.rb b/app/policies/ci/pipeline_policy.rb
index 662c29a0973..4d21da0226b 100644
--- a/app/policies/ci/pipeline_policy.rb
+++ b/app/policies/ci/pipeline_policy.rb
@@ -42,7 +42,7 @@ module Ci
     end
 
     def ref_protected?(user, project, tag, ref)
-      access = ::Gitlab::UserAccess.new(user, project: project)
+      access = ::Gitlab::UserAccess.new(user, container: project)
 
       if tag
         !access.can_create_tag?(ref)
diff --git a/app/policies/concerns/crud_policy_helpers.rb b/app/policies/concerns/crud_policy_helpers.rb
index d8521ca22cc..029c196cc5f 100644
--- a/app/policies/concerns/crud_policy_helpers.rb
+++ b/app/policies/concerns/crud_policy_helpers.rb
@@ -13,10 +13,16 @@ module CrudPolicyHelpers
 
     def create_update_admin_destroy(name)
       [
+        *create_update_admin(name),
+        :"destroy_#{name}"
+      ]
+    end
+
+    def create_update_admin(name)
+      [
         :"create_#{name}",
         :"update_#{name}",
-        :"admin_#{name}",
-        :"destroy_#{name}"
+        :"admin_#{name}"
       ]
     end
   end
diff --git a/app/policies/concerns/readonly_abilities.rb b/app/policies/concerns/readonly_abilities.rb
new file mode 100644
index 00000000000..a267e963541
--- /dev/null
+++ b/app/policies/concerns/readonly_abilities.rb
@@ -0,0 +1,52 @@
+# frozen_string_literal: true
+
+module ReadonlyAbilities
+  extend ActiveSupport::Concern
+
+  READONLY_ABILITIES = %i[
+    admin_tag
+    push_code
+    push_to_delete_protected_branch
+    request_access
+    upload_file
+    resolve_note
+    create_merge_request_from
+    create_merge_request_in
+    award_emoji
+  ].freeze
+
+  READONLY_FEATURES = %i[
+    issue
+    list
+    merge_request
+    label
+    milestone
+    snippet
+    wiki
+    design
+    note
+    pipeline
+    pipeline_schedule
+    build
+    trigger
+    environment
+    deployment
+    commit_status
+    container_image
+    pages
+    cluster
+    release
+  ].freeze
+
+  class_methods do
+    def readonly_abilities
+      READONLY_ABILITIES
+    end
+
+    def readonly_features
+      READONLY_FEATURES
+    end
+  end
+end
+
+ReadonlyAbilities::ClassMethods.prepend_if_ee('EE::ReadonlyAbilities::ClassMethods')
diff --git a/app/policies/group_deploy_key_policy.rb b/app/policies/group_deploy_key_policy.rb
new file mode 100644
index 00000000000..642ed4d79ed
--- /dev/null
+++ b/app/policies/group_deploy_key_policy.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class GroupDeployKeyPolicy < BasePolicy
+  with_options scope: :subject, score: 0
+  condition(:user_owns_group_deploy_key) { @subject.user_id == @user.id }
+
+  rule { user_owns_group_deploy_key }.enable :update_group_deploy_key
+end
diff --git a/app/policies/group_deploy_keys_group_policy.rb b/app/policies/group_deploy_keys_group_policy.rb
new file mode 100644
index 00000000000..9275d576923
--- /dev/null
+++ b/app/policies/group_deploy_keys_group_policy.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class GroupDeployKeysGroupPolicy < BasePolicy
+  with_options scope: :subject, score: 0
+  delegate { @subject.group }
+  condition(:user_is_group_owner) { @subject.group.has_owner?(@user) }
+
+  rule { user_is_group_owner }.enable :update_group_deploy_key_for_group
+end
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 92cba5f8f7d..3cc1be9dfb7 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -138,6 +138,7 @@ class GroupPolicy < BasePolicy
     enable :read_group_labels
     enable :read_group_milestones
     enable :read_group_merge_requests
+    enable :read_group_build_report_results
   end
 
   rule { can?(:read_cross_project) & can?(:read_group) }.policy do
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index 28baa0d8338..b02bb8621ed 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -35,8 +35,15 @@ class IssuePolicy < IssuablePolicy
     prevent :destroy_design
   end
 
+  rule { ~can?(:read_design) }.policy do
+    prevent :move_design
+  end
+
   rule { locked | moved }.policy do
     prevent :create_design
+    prevent :move_design
     prevent :destroy_design
   end
 end
+
+IssuePolicy.prepend_if_ee('EE::IssuePolicy')
diff --git a/app/policies/personal_access_token_policy.rb b/app/policies/personal_access_token_policy.rb
new file mode 100644
index 00000000000..1e5404b7822
--- /dev/null
+++ b/app/policies/personal_access_token_policy.rb
@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+class PersonalAccessTokenPolicy < BasePolicy
+  condition(:is_owner) { user && subject.user_id == user.id }
+
+  rule { (is_owner | admin) & ~blocked }.policy do
+    enable :read_token
+    enable :revoke_token
+  end
+end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 3a245119cb7..b2432bfa608 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -2,29 +2,7 @@
 
 class ProjectPolicy < BasePolicy
   include CrudPolicyHelpers
-
-  READONLY_FEATURES_WHEN_ARCHIVED = %i[
-    issue
-    list
-    merge_request
-    label
-    milestone
-    snippet
-    wiki
-    design
-    note
-    pipeline
-    pipeline_schedule
-    build
-    trigger
-    environment
-    deployment
-    commit_status
-    container_image
-    pages
-    cluster
-    release
-  ].freeze
+  include ReadonlyAbilities
 
   desc "User is a project owner"
   condition :owner do
@@ -124,6 +102,11 @@ class ProjectPolicy < BasePolicy
   end
 
   with_scope :subject
+  condition(:moving_designs_disabled) do
+    !::Feature.enabled?(:reorder_designs, @subject, default_enabled: true)
+  end
+
+  with_scope :subject
   condition(:service_desk_enabled) { @subject.service_desk_enabled? }
 
   # We aren't checking `:read_issue` or `:read_merge_request` in this case
@@ -248,6 +231,7 @@ class ProjectPolicy < BasePolicy
     enable :admin_issue
     enable :admin_label
     enable :admin_list
+    enable :admin_issue_link
     enable :read_commit_status
     enable :read_build
     enable :read_container_image
@@ -258,11 +242,13 @@ class ProjectPolicy < BasePolicy
     enable :read_merge_request
     enable :read_sentry_issue
     enable :update_sentry_issue
+    enable :read_incidents
     enable :read_prometheus
     enable :read_metrics_dashboard_annotation
     enable :metrics_dashboard
     enable :read_confidential_issues
     enable :read_package
+    enable :read_product_analytics
   end
 
   # We define `:public_user_access` separately because there are cases in gitlab-ee
@@ -340,8 +326,10 @@ class ProjectPolicy < BasePolicy
     enable :read_alert_management_alert
     enable :update_alert_management_alert
     enable :create_design
+    enable :move_design
     enable :destroy_design
     enable :read_terraform_state
+    enable :read_pod_logs
   end
 
   rule { can?(:developer_access) & user_confirmed? }.policy do
@@ -381,7 +369,6 @@ class ProjectPolicy < BasePolicy
     enable :admin_operations
     enable :read_deploy_token
     enable :create_deploy_token
-    enable :read_pod_logs
     enable :destroy_deploy_token
     enable :read_prometheus_alerts
     enable :admin_terraform_state
@@ -403,16 +390,9 @@ class ProjectPolicy < BasePolicy
   rule { can?(:push_code) }.enable :admin_tag
 
   rule { archived }.policy do
-    prevent :push_code
-    prevent :push_to_delete_protected_branch
-    prevent :request_access
-    prevent :upload_file
-    prevent :resolve_note
-    prevent :create_merge_request_from
-    prevent :create_merge_request_in
-    prevent :award_emoji
+    prevent(*readonly_abilities)
 
-    READONLY_FEATURES_WHEN_ARCHIVED.each do |feature|
+    readonly_features.each do |feature|
       prevent(*create_update_admin_destroy(feature))
     end
   end
@@ -499,6 +479,8 @@ class ProjectPolicy < BasePolicy
     enable :read_note
     enable :read_pipeline
     enable :read_pipeline_schedule
+    enable :read_environment
+    enable :read_deployment
     enable :read_commit_status
     enable :read_container_image
     enable :download_code
@@ -563,6 +545,7 @@ class ProjectPolicy < BasePolicy
   rule { can?(:read_issue) }.policy do
     enable :read_design
     enable :read_design_activity
+    enable :read_issue_link
   end
 
   # Design abilities could also be prevented in the issue policy.
@@ -571,6 +554,11 @@ class ProjectPolicy < BasePolicy
     prevent :read_design_activity
     prevent :create_design
     prevent :destroy_design
+    prevent :move_design
+  end
+
+  rule { moving_designs_disabled }.policy do
+    prevent :move_design
   end
 
   rule { read_package_registry_deploy_token }.policy do
diff --git a/app/policies/prometheus_alert_policy.rb b/app/policies/prometheus_alert_policy.rb
new file mode 100644
index 00000000000..e6b0e6e8c17
--- /dev/null
+++ b/app/policies/prometheus_alert_policy.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class PrometheusAlertPolicy < ::BasePolicy
+  delegate { @subject.project }
+end
diff --git a/app/policies/suggestion_policy.rb b/app/policies/suggestion_policy.rb
index 301b7d965f5..4c84c8ba690 100644
--- a/app/policies/suggestion_policy.rb
+++ b/app/policies/suggestion_policy.rb
@@ -4,7 +4,7 @@ class SuggestionPolicy < BasePolicy
   delegate { @subject.project }
 
   condition(:can_push_to_branch) do
-    Gitlab::UserAccess.new(@user, project: @subject.project).can_push_to_branch?(@subject.branch)
+    Gitlab::UserAccess.new(@user, container: @subject.project).can_push_to_branch?(@subject.branch)
   end
 
   rule { can_push_to_branch }.enable :apply_suggestion
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
index 43f472b4c1d..6ebafca9885 100644
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -20,6 +20,7 @@ class UserPolicy < BasePolicy
     enable :destroy_user
     enable :update_user
     enable :update_user_status
+    enable :read_user_personal_access_tokens
   end
 
   rule { default }.enable :read_user_profile