Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2023-04-20 12:18:59 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2023-04-20 12:18:59 +0300
commit: c7eec01f1b68b2e047cdd709751cb695ab329933 (patch)
tree: 47609cd0e5f00afdd1532cf951f9c0055a125641 /app/policies
parent: 9b863f753f0320a95af1ff774cd0c1d4ec7d2754 (diff)
1 files changed, 14 insertions, 1 deletions
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 1f8e003b09a..d84ba880e71 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -36,7 +36,20 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   condition(:request_access_enabled) { @subject.request_access_enabled }
 
   condition(:create_projects_disabled, scope: :subject) do
-    @subject.project_creation_level == ::Gitlab::Access::NO_ONE_PROJECT_ACCESS
+    next true if @user.nil?
+
+    visibility_levels = if @user.can_admin_all_resources?
+                          # admin can create projects even with restricted visibility levels
+                          Gitlab::VisibilityLevel.values
+                        else
+                          Gitlab::VisibilityLevel.allowed_levels
+                        end
+
+    allowed_visibility_levels = visibility_levels.select do |level|
+      Project.new(namespace: @subject).visibility_level_allowed?(level)
+    end
+
+    @subject.project_creation_level == ::Gitlab::Access::NO_ONE_PROJECT_ACCESS || allowed_visibility_levels.empty?
   end
 
   condition(:developer_maintainer_access, scope: :subject) do
author	GitLab Bot <gitlab-bot@gitlab.com>	2023-04-20 12:18:59 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2023-04-20 12:18:59 +0300
commit	c7eec01f1b68b2e047cdd709751cb695ab329933 (patch)
tree	47609cd0e5f00afdd1532cf951f9c0055a125641 /app/policies
parent	9b863f753f0320a95af1ff774cd0c1d4ec7d2754 (diff)