Add latest changes from gitlab-org/gitlab@14-6-stable-eev14.6.0-rc42

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-12-20 16:37:47 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-12-20 16:37:47 +0300
commit: aee0a117a889461ce8ced6fcf73207fe017f1d99 (patch)
tree: 891d9ef189227a8445d83f35c1b0fc99573f4380 /app/policies
parent: 8d46af3258650d305f53b819eabf7ab18d22f59e (diff)
6 files changed, 40 insertions, 6 deletions
diff --git a/app/policies/clusters/agents/activity_event_policy.rb b/app/policies/clusters/agents/activity_event_policy.rb
new file mode 100644
index 00000000000..25fe1570b4b
--- /dev/null
+++ b/app/policies/clusters/agents/activity_event_policy.rb
@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Clusters
+  module Agents
+    class ActivityEventPolicy < BasePolicy
+      alias_method :event, :subject
+
+      delegate { event.agent }
+    end
+  end
+end
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 833d5b9bd34..5c4990ffd9b 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-class GroupPolicy < BasePolicy
+class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   include FindGroupProjects
 
   desc "Group is public"
@@ -77,6 +77,11 @@ class GroupPolicy < BasePolicy
 
   condition(:crm_enabled, score: 0, scope: :subject) { Feature.enabled?(:customer_relations, @subject) }
 
+  with_scope :subject
+  condition(:group_runner_registration_allowed, score: 0, scope: :subject) do
+    Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('group')
+  end
+
   rule { can?(:read_group) & design_management_enabled }.policy do
     enable :read_design_activity
   end
@@ -157,6 +162,7 @@ class GroupPolicy < BasePolicy
     enable :destroy_package
     enable :create_projects
     enable :admin_pipeline
+    enable :admin_group_runners
     enable :admin_build
     enable :read_cluster
     enable :add_cluster
@@ -199,6 +205,10 @@ class GroupPolicy < BasePolicy
     enable :read_nested_project_resources
   end
 
+  rule { can?(:admin_group_runners) }.policy do
+    enable :register_group_runners
+  end
+
   rule { owner }.enable :create_subgroup
   rule { maintainer & maintainer_can_create_group }.enable :create_subgroup
 
@@ -261,6 +271,10 @@ class GroupPolicy < BasePolicy
     prevent :admin_crm_organization
   end
 
+  rule { ~group_runner_registration_allowed }.policy do
+    prevent :register_group_runners
+  end
+
   def access_level(for_any_session: false)
     return GroupMember::NO_ACCESS if @user.nil?
     return GroupMember::NO_ACCESS unless user_is_user?
diff --git a/app/policies/namespace_policy.rb b/app/policies/namespace_policy.rb
index 0cf1bcb9737..33c90d49f68 100644
--- a/app/policies/namespace_policy.rb
+++ b/app/policies/namespace_policy.rb
@@ -1,9 +1,10 @@
 # frozen_string_literal: true
 
-class NamespacePolicy < ::Namespaces::UserNamespacePolicy
+class NamespacePolicy < BasePolicy
   # NamespacePolicy has been traditionally for user namespaces.
   # So these policies have been moved into Namespaces::UserNamespacePolicy.
   # Once the user namespace conversion is complete, we can look at
   # either removing this file or locating common namespace policy items
   # here.
+  # See https://gitlab.com/groups/gitlab-org/-/epics/6689 for details
 end
diff --git a/app/policies/namespaces/group_project_namespace_shared_policy.rb b/app/policies/namespaces/group_project_namespace_shared_policy.rb
new file mode 100644
index 00000000000..1ed9f05306f
--- /dev/null
+++ b/app/policies/namespaces/group_project_namespace_shared_policy.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Namespaces
+  class GroupProjectNamespaceSharedPolicy < ::NamespacePolicy
+    # Nothing here at the moment, but as we move policies from ProjectPolicy to ProjectNamespacePolicy,
+    # anything common with GroupPolicy but not with UserNamespacePolicy can go in here.
+    # See https://gitlab.com/groups/gitlab-org/-/epics/6689
+  end
+end
diff --git a/app/policies/namespaces/project_namespace_policy.rb b/app/policies/namespaces/project_namespace_policy.rb
index bc08a7a45ed..33aadc7c411 100644
--- a/app/policies/namespaces/project_namespace_policy.rb
+++ b/app/policies/namespaces/project_namespace_policy.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module Namespaces
-  class ProjectNamespacePolicy < BasePolicy
+  class ProjectNamespacePolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     # For now users are not granted any permissions on project namespace
     # as it's completely hidden to them. When we start using project
     # namespaces in queries, we will have to extend this policy.
diff --git a/app/policies/namespaces/user_namespace_policy.rb b/app/policies/namespaces/user_namespace_policy.rb
index f8b285e5312..09b0f5d608d 100644
--- a/app/policies/namespaces/user_namespace_policy.rb
+++ b/app/policies/namespaces/user_namespace_policy.rb
@@ -1,10 +1,9 @@
 # frozen_string_literal: true
 
 module Namespaces
-  class UserNamespacePolicy < BasePolicy
+  class UserNamespacePolicy < ::NamespacePolicy
     rule { anonymous }.prevent_all
 
-    condition(:personal_project, scope: :subject) { @subject.kind == 'user' }
     condition(:can_create_personal_project, scope: :user) { @user.can_create_project? }
     condition(:owner) { @subject.owner == @user }
 
@@ -19,7 +18,7 @@ module Namespaces
       enable :read_package_settings
     end
 
-    rule { personal_project & ~can_create_personal_project }.prevent :create_projects
+    rule { ~can_create_personal_project }.prevent :create_projects
 
     rule { (owner | admin) & can?(:create_projects) }.enable :transfer_projects
   end
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-12-20 16:37:47 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-12-20 16:37:47 +0300
commit	aee0a117a889461ce8ced6fcf73207fe017f1d99 (patch)
tree	891d9ef189227a8445d83f35c1b0fc99573f4380 /app/policies
parent	8d46af3258650d305f53b819eabf7ab18d22f59e (diff)