Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app/policies
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2022-11-17 14:33:21 +0300
committerGitLab Bot <gitlab-bot@gitlab.com>2022-11-17 14:33:21 +0300
commit7021455bd1ed7b125c55eb1b33c5a01f2bc55ee0 (patch)
tree5bdc2229f5198d516781f8d24eace62fc7e589e9 /app/policies
parent185b095e93520f96e9cfc31d9c3e69b498cdab7c (diff)
Add latest changes from gitlab-org/gitlab@15-6-stable-eev15.6.0-rc42
Diffstat (limited to 'app/policies')
-rw-r--r--app/policies/blob_policy.rb2
-rw-r--r--app/policies/ci/build_policy.rb8
-rw-r--r--app/policies/commit_policy.rb2
-rw-r--r--app/policies/commit_signatures/gpg_signature_policy.rb7
-rw-r--r--app/policies/commit_signatures/x509_commit_signature_policy.rb7
-rw-r--r--app/policies/concerns/member_policy_helpers.rb19
-rw-r--r--app/policies/global_policy.rb2
-rw-r--r--app/policies/group_member_policy.rb14
-rw-r--r--app/policies/group_policy.rb7
-rw-r--r--app/policies/incident_management/timeline_event_tag_policy.rb7
-rw-r--r--app/policies/issuable_policy.rb2
-rw-r--r--app/policies/note_policy.rb2
-rw-r--r--app/policies/packages/policies/project_policy.rb2
-rw-r--r--app/policies/project_member_policy.rb15
-rw-r--r--app/policies/project_policy.rb31
-rw-r--r--app/policies/user_policy.rb1
16 files changed, 109 insertions, 19 deletions
diff --git a/app/policies/blob_policy.rb b/app/policies/blob_policy.rb
index 639b9dfeea7..8220b035603 100644
--- a/app/policies/blob_policy.rb
+++ b/app/policies/blob_policy.rb
@@ -3,5 +3,5 @@
class BlobPolicy < BasePolicy
delegate { @subject.project }
- rule { can?(:download_code) }.enable :read_blob
+ rule { can?(:read_code) }.enable :read_blob
end
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index b657b569e3e..5ef926ef2e3 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -27,8 +27,8 @@ module Ci
false
end
- condition(:prevent_rollback) do
- @subject.prevent_rollback_deployment?
+ condition(:outdated_deployment) do
+ @subject.outdated_deployment?
end
condition(:owner_of_job) do
@@ -77,12 +77,14 @@ module Ci
# Authorizing the user to access to protected entities.
# There is a "jailbreak" mode to exceptionally bypass the authorization,
# however, you should NEVER allow it, rather suspect it's a wrong feature/product design.
- rule { ~can?(:jailbreak) & (archived | protected_ref | protected_environment | prevent_rollback) }.policy do
+ rule { ~can?(:jailbreak) & (archived | protected_ref | protected_environment) }.policy do
prevent :update_build
prevent :update_commit_status
prevent :erase_build
end
+ rule { outdated_deployment }.prevent :update_build
+
rule { can?(:admin_build) | (can?(:update_build) & owner_of_job & unprotected_ref) }.enable :erase_build
rule { can?(:public_access) & branch_allows_collaboration }.policy do
diff --git a/app/policies/commit_policy.rb b/app/policies/commit_policy.rb
index 4b358c45ec2..66ec2c5ce56 100644
--- a/app/policies/commit_policy.rb
+++ b/app/policies/commit_policy.rb
@@ -3,6 +3,6 @@
class CommitPolicy < BasePolicy
delegate { @subject.project }
- rule { can?(:download_code) }.enable :read_commit
+ rule { can?(:read_code) }.enable :read_commit
rule { ~can?(:read_commit) }.prevent :create_note
end
diff --git a/app/policies/commit_signatures/gpg_signature_policy.rb b/app/policies/commit_signatures/gpg_signature_policy.rb
new file mode 100644
index 00000000000..518a289c1f3
--- /dev/null
+++ b/app/policies/commit_signatures/gpg_signature_policy.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module CommitSignatures
+ class GpgSignaturePolicy < BasePolicy
+ delegate { @subject.project }
+ end
+end
diff --git a/app/policies/commit_signatures/x509_commit_signature_policy.rb b/app/policies/commit_signatures/x509_commit_signature_policy.rb
new file mode 100644
index 00000000000..6b2477797fc
--- /dev/null
+++ b/app/policies/commit_signatures/x509_commit_signature_policy.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module CommitSignatures
+ class X509CommitSignaturePolicy < BasePolicy
+ delegate { @subject.project }
+ end
+end
diff --git a/app/policies/concerns/member_policy_helpers.rb b/app/policies/concerns/member_policy_helpers.rb
new file mode 100644
index 00000000000..6c4a3caf8bf
--- /dev/null
+++ b/app/policies/concerns/member_policy_helpers.rb
@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module MemberPolicyHelpers
+ extend ActiveSupport::Concern
+
+ private
+
+ def record_is_access_request_of_self?
+ record_is_access_request? && record_belongs_to_self?
+ end
+
+ def record_is_access_request?
+ @subject.request? # rubocop:disable Gitlab/ModuleWithInstanceVariables
+ end
+
+ def record_belongs_to_self?
+ @user && @subject.user == @user # rubocop:disable Gitlab/ModuleWithInstanceVariables
+ end
+end
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index 406144b7a5c..fa7b117f3cd 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -120,8 +120,6 @@ class GlobalPolicy < BasePolicy
# We can't use `read_statistics` because the user may have different permissions for different projects
rule { admin }.enable :use_project_statistics_filters
- rule { admin }.enable :delete_runners
-
rule { external_user }.prevent :create_snippet
end
diff --git a/app/policies/group_member_policy.rb b/app/policies/group_member_policy.rb
index a394b63fc8e..f61f758a8e8 100644
--- a/app/policies/group_member_policy.rb
+++ b/app/policies/group_member_policy.rb
@@ -1,6 +1,8 @@
# frozen_string_literal: true
class GroupMemberPolicy < BasePolicy
+ include MemberPolicyHelpers
+
delegate :group
with_scope :subject
@@ -9,7 +11,11 @@ class GroupMemberPolicy < BasePolicy
desc "Membership is users' own"
with_score 0
- condition(:is_target_user) { @user && @subject.user_id == @user.id }
+ condition(:target_is_self) { record_belongs_to_self? }
+
+ desc "Membership is users' own access request"
+ with_score 0
+ condition(:access_request_of_self) { record_is_access_request_of_self? }
rule { anonymous }.policy do
prevent :update_group_member
@@ -28,9 +34,13 @@ class GroupMemberPolicy < BasePolicy
rule { project_bot & can?(:admin_group_member) }.enable :destroy_project_bot_member
- rule { is_target_user }.policy do
+ rule { target_is_self }.policy do
enable :destroy_group_member
end
+
+ rule { access_request_of_self }.policy do
+ enable :withdraw_member_access_request
+ end
end
GroupMemberPolicy.prepend_mod_with('GroupMemberPolicy')
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 7a0fb10928a..806c57bab74 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -22,7 +22,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
condition(:share_with_group_locked, scope: :subject) { @subject.share_with_group_lock? }
condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? }
condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) }
- condition(:migration_bot, scope: :user) { @user.migration_bot? }
+ condition(:migration_bot, scope: :user) { @user&.migration_bot? }
condition(:can_read_group_member) { can_read_group_member? }
desc "User is a project bot"
@@ -283,6 +283,11 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
prevent :create_resource_access_tokens
end
+ rule { can?(:admin_group_member) }.policy do
+ # ability to read, approve or reject member access requests of other users
+ enable :admin_member_access_request
+ end
+
rule { support_bot & has_project_with_service_desk_enabled }.policy do
enable :read_label
end
diff --git a/app/policies/incident_management/timeline_event_tag_policy.rb b/app/policies/incident_management/timeline_event_tag_policy.rb
new file mode 100644
index 00000000000..e2268d917b4
--- /dev/null
+++ b/app/policies/incident_management/timeline_event_tag_policy.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module IncidentManagement
+ class TimelineEventTagPolicy < ::BasePolicy
+ delegate { @subject.project }
+ end
+end
diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb
index df065b24e64..aa07bb7dc5f 100644
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -56,7 +56,7 @@ class IssuablePolicy < BasePolicy
end
# This rule replicates permissions in NotePolicy#can_read_confidential
- rule { can?(:reporter_access) | assignee_or_author | admin }.policy do
+ rule { can?(:reporter_access) | admin }.policy do
enable :read_internal_note
end
end
diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb
index dbfc63a0069..67b57595beb 100644
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -23,7 +23,7 @@ class NotePolicy < BasePolicy
# Should be matched with IssuablePolicy#read_internal_note
# and EpicPolicy#read_internal_note
condition(:can_read_confidential) do
- access_level >= Gitlab::Access::REPORTER || @subject.noteable_assignee_or_author?(@user) || admin?
+ access_level >= Gitlab::Access::REPORTER || admin?
end
rule { ~editable }.prevent :admin_note
diff --git a/app/policies/packages/policies/project_policy.rb b/app/policies/packages/policies/project_policy.rb
index c754d24349a..0fb5953f2aa 100644
--- a/app/policies/packages/policies/project_policy.rb
+++ b/app/policies/packages/policies/project_policy.rb
@@ -52,3 +52,5 @@ module Packages
end
end
end
+
+Packages::Policies::ProjectPolicy.prepend_mod_with('Packages::Policies::ProjectPolicy')
diff --git a/app/policies/project_member_policy.rb b/app/policies/project_member_policy.rb
index 40ba30fce5e..bcfc7c87d41 100644
--- a/app/policies/project_member_policy.rb
+++ b/app/policies/project_member_policy.rb
@@ -1,13 +1,18 @@
# frozen_string_literal: true
class ProjectMemberPolicy < BasePolicy
+ include MemberPolicyHelpers
delegate { @subject.project }
condition(:target_is_holder_of_the_personal_namespace, scope: :subject) do
@subject.project.personal_namespace_holder?(@subject.user)
end
- condition(:target_is_self) { @user && @subject.user == @user }
+ desc "Membership is users' own access request"
+ with_score 0
+ condition(:access_request_of_self) { record_is_access_request_of_self? }
+
+ condition(:target_is_self) { record_belongs_to_self? }
condition(:project_bot) { @subject.user&.project_bot? }
rule { anonymous }.prevent_all
@@ -24,5 +29,11 @@ class ProjectMemberPolicy < BasePolicy
rule { project_bot & can?(:admin_project_member) }.enable :destroy_project_bot_member
- rule { target_is_self }.enable :destroy_project_member
+ rule { target_is_self }.policy do
+ enable :destroy_project_member
+ end
+
+ rule { access_request_of_self }.policy do
+ enable :withdraw_member_access_request
+ end
end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 77bdf9d62fc..bfeb1a602ab 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -195,8 +195,6 @@ class ProjectPolicy < BasePolicy
with_scope :subject
condition(:packages_disabled) { !@subject.packages_enabled }
- condition(:work_items_enabled, scope: :subject) { project&.work_items_feature_flag_enabled? }
-
features = %w[
merge_requests
issues
@@ -213,6 +211,7 @@ class ProjectPolicy < BasePolicy
environments
feature_flags
releases
+ infrastructure
]
features.each do |f|
@@ -255,7 +254,6 @@ class ProjectPolicy < BasePolicy
enable :change_namespace
enable :change_visibility_level
- enable :rename_project
enable :remove_project
enable :archive_project
enable :remove_fork_project
@@ -303,7 +301,7 @@ class ProjectPolicy < BasePolicy
rule { can?(:create_issue) }.enable :create_work_item
- rule { can?(:create_issue) & work_items_enabled }.enable :create_task
+ rule { can?(:create_issue) }.enable :create_task
# These abilities are not allowed to admins that are not members of the project,
# that's why they are defined separately.
@@ -409,6 +407,14 @@ class ProjectPolicy < BasePolicy
prevent(*create_read_update_admin_destroy(:alert_management_alert))
end
+ rule { split_operations_visibility_permissions & infrastructure_disabled }.policy do
+ prevent(*create_read_update_admin_destroy(:terraform_state))
+ prevent(*create_read_update_admin_destroy(:cluster))
+ prevent(:read_pod_logs)
+ prevent(:read_prometheus)
+ prevent(:admin_project_google_cloud)
+ end
+
rule { can?(:metrics_dashboard) }.policy do
enable :read_prometheus
enable :read_deployment
@@ -490,6 +496,7 @@ class ProjectPolicy < BasePolicy
enable :push_to_delete_protected_branch
enable :update_snippet
enable :admin_snippet
+ enable :rename_project
enable :admin_project_member
enable :admin_note
enable :admin_wiki
@@ -530,6 +537,7 @@ class ProjectPolicy < BasePolicy
enable :read_web_hooks
enable :read_upload
enable :destroy_upload
+ enable :admin_incident_management_timeline_event_tag
end
rule { public_project & metrics_dashboard_allowed }.policy do
@@ -624,7 +632,6 @@ class ProjectPolicy < BasePolicy
prevent :read_commit_status
prevent :read_pipeline
prevent :read_pipeline_schedule
- prevent(*create_read_update_admin_destroy(:release))
prevent(*create_read_update_admin_destroy(:feature_flag))
prevent(:admin_feature_flags_user_lists)
end
@@ -729,6 +736,10 @@ class ProjectPolicy < BasePolicy
enable :read_work_item
end
+ rule { can?(:read_merge_request) }.policy do
+ enable :read_vulnerability_merge_request_link
+ end
+
rule { can?(:developer_access) }.policy do
enable :read_security_configuration
end
@@ -827,6 +838,8 @@ class ProjectPolicy < BasePolicy
rule { can?(:admin_project_member) }.policy do
enable :import_project_members_from_another_project
+ # ability to read, approve or reject member access requests of other users
+ enable :admin_member_access_request
end
rule { registry_enabled & can?(:admin_container_image) }.policy do
@@ -837,6 +850,14 @@ class ProjectPolicy < BasePolicy
enable :view_package_registry_project_settings
end
+ rule { can?(:read_project) }.policy do
+ enable :read_incident_management_timeline_event_tag
+ end
+
+ rule { can?(:download_code) }.policy do
+ enable :read_code
+ end
+
private
def user_is_user?
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
index f62ccef826c..4f3dafbf5c8 100644
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -36,6 +36,7 @@ class UserPolicy < BasePolicy
rule { (private_profile | blocked_user | unconfirmed_user) & ~(user_is_self | admin) }.prevent :read_user_profile
rule { user_is_self | admin }.enable :disable_two_factor
rule { (user_is_self | admin) & ~blocked }.enable :create_user_personal_access_token
+ rule { (user_is_self | admin) & ~blocked }.enable :get_user_associations_count
end
UserPolicy.prepend_mod_with('UserPolicy')
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-28 22:36:16 +0300