Add latest changes from gitlab-org/gitlab@15-4-stable-eev15.4.0-rc42

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-09-20 02:18:09 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-09-20 02:18:09 +0300
commit: 6ed4ec3e0b1340f96b7c043ef51d1b33bbe85fde (patch)
tree: dc4d20fe6064752c0bd323187252c77e0a89144b /app/policies
parent: 9868dae7fc0655bd7ce4a6887d4e6d487690eeed (diff)
11 files changed, 174 insertions, 17 deletions
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index f377ff85b5e..b657b569e3e 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -2,6 +2,8 @@
 
 module Ci
   class BuildPolicy < CommitStatusPolicy
+    delegate { @subject.project }
+
     condition(:protected_ref) do
       access = ::Gitlab::UserAccess.new(@user, container: @subject.project)
 
@@ -25,6 +27,10 @@ module Ci
       false
     end
 
+    condition(:prevent_rollback) do
+      @subject.prevent_rollback_deployment?
+    end
+
     condition(:owner_of_job) do
       @subject.triggered_by?(@user)
     end
@@ -71,7 +77,7 @@ module Ci
     # Authorizing the user to access to protected entities.
     # There is a "jailbreak" mode to exceptionally bypass the authorization,
     # however, you should NEVER allow it, rather suspect it's a wrong feature/product design.
-    rule { ~can?(:jailbreak) & (archived | protected_ref | protected_environment) }.policy do
+    rule { ~can?(:jailbreak) & (archived | protected_ref | protected_environment | prevent_rollback) }.policy do
       prevent :update_build
       prevent :update_commit_status
       prevent :erase_build
diff --git a/app/policies/ci/job_artifact_policy.rb b/app/policies/ci/job_artifact_policy.rb
new file mode 100644
index 00000000000..e25c7311565
--- /dev/null
+++ b/app/policies/ci/job_artifact_policy.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Ci
+  class JobArtifactPolicy < BasePolicy
+    delegate { @subject.job.project }
+  end
+end
diff --git a/app/policies/ci/runner_policy.rb b/app/policies/ci/runner_policy.rb
index 8a99f4d1a3e..a52dac446ea 100644
--- a/app/policies/ci/runner_policy.rb
+++ b/app/policies/ci/runner_policy.rb
@@ -9,19 +9,65 @@ module Ci
       @user.owns_runner?(@subject)
     end
 
-    condition(:belongs_to_multiple_projects) do
+    with_options scope: :subject, score: 0
+    condition(:is_instance_runner) do
+      @subject.instance_type?
+    end
+
+    with_options scope: :subject, score: 0
+    condition(:is_group_runner) do
+      @subject.group_type?
+    end
+
+    with_options scope: :user, score: 5
+    condition(:any_developer_groups_inheriting_shared_runners) do
+      @user.developer_groups.with_shared_runners_enabled.any?
+    end
+
+    with_options scope: :user, score: 5
+    condition(:any_developer_projects_inheriting_shared_runners) do
+      @user.authorized_projects(Gitlab::Access::DEVELOPER).with_shared_runners_enabled.any?
+    end
+
+    with_options score: 10
+    condition(:any_associated_projects_in_group_runner_inheriting_group_runners) do
+      # Check if any projects where user is a developer are inheriting group runners
+      @subject.groups&.any? do |group|
+        group.all_projects
+             .with_group_runners_enabled
+             .visible_to_user_and_access_level(@user, Gitlab::Access::DEVELOPER)
+             .exists?
+      end
+    end
+
+    condition(:belongs_to_multiple_projects, scope: :subject) do
       @subject.belongs_to_more_than_one_project?
     end
 
     rule { anonymous }.prevent_all
 
-    rule { admin }.policy do
+    rule { admin | owned_runner }.policy do
       enable :read_builds
     end
 
     rule { admin | owned_runner }.policy do
-      enable :assign_runner
       enable :read_runner
+    end
+
+    rule { is_instance_runner & any_developer_groups_inheriting_shared_runners }.policy do
+      enable :read_runner
+    end
+
+    rule { is_instance_runner & any_developer_projects_inheriting_shared_runners }.policy do
+      enable :read_runner
+    end
+
+    rule { is_group_runner & any_associated_projects_in_group_runner_inheriting_group_runners }.policy do
+      enable :read_runner
+    end
+
+    rule { admin | owned_runner }.policy do
+      enable :assign_runner
       enable :update_runner
       enable :delete_runner
     end
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 44393539327..96da0518dc0 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -59,6 +59,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     access_level(for_any_session: true) >= GroupMember::GUEST || valid_dependency_proxy_deploy_token
   end
 
+  condition(:observability_enabled) do
+    Feature.enabled?(:observability_group_tab, @subject)
+  end
+
   desc "Deploy token with read_package_registry scope"
   condition(:read_package_registry_deploy_token) do
     @user.is_a?(DeployToken) && @user.groups.include?(@subject) && @user.read_package_registry
@@ -82,10 +86,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('group')
   end
 
-  condition(:change_prevent_sharing_groups_outside_hierarchy_available) do
-    change_prevent_sharing_groups_outside_hierarchy_available?
-  end
-
   rule { can?(:read_group) & design_management_enabled }.policy do
     enable :read_design_activity
   end
@@ -196,6 +196,8 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
 
     enable :set_note_created_at
     enable :set_emails_disabled
+    enable :change_prevent_sharing_groups_outside_hierarchy
+    enable :set_show_diff_preview_in_email
     enable :change_new_user_signups_cap
     enable :update_default_branch_protection
     enable :create_deploy_token
@@ -204,10 +206,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     enable :owner_access
   end
 
-  rule { owner & change_prevent_sharing_groups_outside_hierarchy_available }.policy do
-    enable :change_prevent_sharing_groups_outside_hierarchy
-  end
-
   rule { can?(:read_nested_project_resources) }.policy do
     enable :read_group_activity
     enable :read_group_issues
@@ -299,6 +297,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     enable :destroy_resource_access_tokens
   end
 
+  rule { can?(:developer_access) & observability_enabled }.policy do
+    enable :read_observability
+  end
+
   def access_level(for_any_session: false)
     return GroupMember::NO_ACCESS if @user.nil?
     return GroupMember::NO_ACCESS unless user_is_user?
@@ -335,10 +337,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   def valid_dependency_proxy_deploy_token
     @user.is_a?(DeployToken) && @user&.valid_for_dependency_proxy? && @user&.has_access_to_group?(@subject)
   end
-
-  def change_prevent_sharing_groups_outside_hierarchy_available?
-    true
-  end
 end
 
 GroupPolicy.prepend_mod_with('GroupPolicy')
diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb
index 3c5e1020c8a..e5913bab726 100644
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -5,6 +5,7 @@ class IssuablePolicy < BasePolicy
 
   condition(:locked, scope: :subject, score: 0) { @subject.discussion_locked? }
   condition(:is_project_member) { @user && @subject.project && @subject.project.team.member?(@user) }
+  condition(:can_read_issuable) { can?(:"read_#{@subject.to_ability_name}") }
 
   desc "User is the assignee or author"
   condition(:assignee_or_author) do
@@ -48,6 +49,10 @@ class IssuablePolicy < BasePolicy
   rule { can?(:reporter_access) }.policy do
     enable :create_timelog
   end
+
+  rule { can_read_issuable }.policy do
+    enable :read_issuable
+  end
 end
 
 IssuablePolicy.prepend_mod_with('IssuablePolicy')
diff --git a/app/policies/packages/package_policy.rb b/app/policies/packages/package_policy.rb
index 8eef280c640..829d62a6430 100644
--- a/app/policies/packages/package_policy.rb
+++ b/app/policies/packages/package_policy.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 module Packages
   class PackagePolicy < BasePolicy
-    delegate { @subject.project }
+    delegate { @subject.project&.packages_policy_subject }
   end
 end
diff --git a/app/policies/packages/policies/group_policy.rb b/app/policies/packages/policies/group_policy.rb
new file mode 100644
index 00000000000..32dbcb1b65b
--- /dev/null
+++ b/app/policies/packages/policies/group_policy.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Packages
+  module Policies
+    class GroupPolicy < BasePolicy
+      delegate(:group) { @subject.group }
+
+      overrides(:read_package)
+
+      rule { group.public_group }.policy do
+        enable :read_package
+      end
+
+      rule { group.reporter }.policy do
+        enable :read_package
+      end
+
+      rule { group.read_package_registry_deploy_token }.policy do
+        enable :read_package
+      end
+
+      rule { group.write_package_registry_deploy_token }.policy do
+        enable :read_package
+      end
+    end
+  end
+end
diff --git a/app/policies/packages/policies/project_policy.rb b/app/policies/packages/policies/project_policy.rb
new file mode 100644
index 00000000000..c754d24349a
--- /dev/null
+++ b/app/policies/packages/policies/project_policy.rb
@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module Packages
+  module Policies
+    class ProjectPolicy < BasePolicy
+      delegate(:project) { @subject.project }
+
+      overrides(:read_package)
+
+      condition(:package_registry_access_level_feature_flag_enabled, scope: :subject) do
+        ::Feature.enabled?(:package_registry_access_level, @subject)
+      end
+
+      condition(:packages_enabled_for_everyone, scope: :subject) do
+        @subject.package_registry_access_level == ProjectFeature::PUBLIC
+      end
+
+      # This rule can be removed if the `package_registry_access_level` feature flag is removed.
+      # Reason: If the feature flag is globally enabled, this rule will never be executed.
+      rule { anonymous & ~project.public_project & ~package_registry_access_level_feature_flag_enabled }.prevent_all
+
+      # This rule can be removed if the `package_registry_access_level` feature flag is removed.
+      # Reason: If the feature flag is globally enabled, this rule will never be executed.
+      rule do
+        ~project.public_project & ~project.internal_access &
+          ~project.project_allowed_for_job_token & ~package_registry_access_level_feature_flag_enabled
+      end.prevent_all
+
+      rule { project.packages_disabled }.policy do
+        prevent(:read_package)
+      end
+
+      rule { can?(:reporter_access) }.policy do
+        enable :read_package
+      end
+
+      rule { can?(:public_access) }.policy do
+        enable :read_package
+      end
+
+      rule { project.read_package_registry_deploy_token }.policy do
+        enable :read_package
+      end
+
+      rule { project.write_package_registry_deploy_token }.policy do
+        enable :read_package
+      end
+
+      rule { package_registry_access_level_feature_flag_enabled & packages_enabled_for_everyone }.policy do
+        enable :read_package
+      end
+    end
+  end
+end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index f4f7275a78a..fb162d03955 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -208,6 +208,7 @@ class ProjectPolicy < BasePolicy
     metrics_dashboard
     analytics
     operations
+    monitor
     security_and_compliance
     environments
     feature_flags
@@ -267,6 +268,7 @@ class ProjectPolicy < BasePolicy
     enable :set_note_created_at
     enable :set_emails_disabled
     enable :set_show_default_award_emojis
+    enable :set_show_diff_preview_in_email
     enable :set_warn_about_potentially_unwanted_characters
 
     enable :register_project_runners
@@ -401,6 +403,12 @@ class ProjectPolicy < BasePolicy
     prevent(*create_read_update_admin_destroy(:release))
   end
 
+  rule { split_operations_visibility_permissions & monitor_disabled }.policy do
+    prevent(:metrics_dashboard)
+    prevent(*create_read_update_admin_destroy(:sentry_issue))
+    prevent(*create_read_update_admin_destroy(:alert_management_alert))
+  end
+
   rule { can?(:metrics_dashboard) }.policy do
     enable :read_prometheus
     enable :read_deployment
diff --git a/app/policies/protected_branch_access_policy.rb b/app/policies/protected_branch_access_policy.rb
new file mode 100644
index 00000000000..4f33af89d2a
--- /dev/null
+++ b/app/policies/protected_branch_access_policy.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class ProtectedBranchAccessPolicy < BasePolicy
+  delegate { @subject.protected_branch }
+end
diff --git a/app/policies/protected_branch_policy.rb b/app/policies/protected_branch_policy.rb
index 8ad06653e5c..2be96ea7f24 100644
--- a/app/policies/protected_branch_policy.rb
+++ b/app/policies/protected_branch_policy.rb
@@ -4,6 +4,7 @@ class ProtectedBranchPolicy < BasePolicy
   delegate { @subject.project }
 
   rule { can?(:admin_project) }.policy do
+    enable :read_protected_branch
     enable :create_protected_branch
     enable :update_protected_branch
     enable :destroy_protected_branch
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-09-20 02:18:09 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-09-20 02:18:09 +0300
commit	6ed4ec3e0b1340f96b7c043ef51d1b33bbe85fde (patch)
tree	dc4d20fe6064752c0bd323187252c77e0a89144b /app/policies
parent	9868dae7fc0655bd7ce4a6887d4e6d487690eeed (diff)