diff options
Diffstat (limited to 'app/policies/ci')
| -rw-r--r-- | app/policies/ci/build_policy.rb | 8 | ||||
| -rw-r--r-- | app/policies/ci/job_artifact_policy.rb | 7 | ||||
| -rw-r--r-- | app/policies/ci/runner_policy.rb | 52 |
3 files changed, 63 insertions, 4 deletions
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index f377ff85b5e..b657b569e3e 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -2,6 +2,8 @@ module Ci class BuildPolicy < CommitStatusPolicy + delegate { @subject.project } + condition(:protected_ref) do access = ::Gitlab::UserAccess.new(@user, container: @subject.project) @@ -25,6 +27,10 @@ module Ci false end + condition(:prevent_rollback) do + @subject.prevent_rollback_deployment? + end + condition(:owner_of_job) do @subject.triggered_by?(@user) end @@ -71,7 +77,7 @@ module Ci # Authorizing the user to access to protected entities. # There is a "jailbreak" mode to exceptionally bypass the authorization, # however, you should NEVER allow it, rather suspect it's a wrong feature/product design. - rule { ~can?(:jailbreak) & (archived | protected_ref | protected_environment) }.policy do + rule { ~can?(:jailbreak) & (archived | protected_ref | protected_environment | prevent_rollback) }.policy do prevent :update_build prevent :update_commit_status prevent :erase_build diff --git a/app/policies/ci/job_artifact_policy.rb b/app/policies/ci/job_artifact_policy.rb new file mode 100644 index 00000000000..e25c7311565 --- /dev/null +++ b/app/policies/ci/job_artifact_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +module Ci + class JobArtifactPolicy < BasePolicy + delegate { @subject.job.project } + end +end diff --git a/app/policies/ci/runner_policy.rb b/app/policies/ci/runner_policy.rb index 8a99f4d1a3e..a52dac446ea 100644 --- a/app/policies/ci/runner_policy.rb +++ b/app/policies/ci/runner_policy.rb @@ -9,19 +9,65 @@ module Ci @user.owns_runner?(@subject) end - condition(:belongs_to_multiple_projects) do + with_options scope: :subject, score: 0 + condition(:is_instance_runner) do + @subject.instance_type? + end + + with_options scope: :subject, score: 0 + condition(:is_group_runner) do + @subject.group_type? + end + + with_options scope: :user, score: 5 + condition(:any_developer_groups_inheriting_shared_runners) do + @user.developer_groups.with_shared_runners_enabled.any? + end + + with_options scope: :user, score: 5 + condition(:any_developer_projects_inheriting_shared_runners) do + @user.authorized_projects(Gitlab::Access::DEVELOPER).with_shared_runners_enabled.any? + end + + with_options score: 10 + condition(:any_associated_projects_in_group_runner_inheriting_group_runners) do + # Check if any projects where user is a developer are inheriting group runners + @subject.groups&.any? do |group| + group.all_projects + .with_group_runners_enabled + .visible_to_user_and_access_level(@user, Gitlab::Access::DEVELOPER) + .exists? + end + end + + condition(:belongs_to_multiple_projects, scope: :subject) do @subject.belongs_to_more_than_one_project? end rule { anonymous }.prevent_all - rule { admin }.policy do + rule { admin | owned_runner }.policy do enable :read_builds end rule { admin | owned_runner }.policy do - enable :assign_runner enable :read_runner + end + + rule { is_instance_runner & any_developer_groups_inheriting_shared_runners }.policy do + enable :read_runner + end + + rule { is_instance_runner & any_developer_projects_inheriting_shared_runners }.policy do + enable :read_runner + end + + rule { is_group_runner & any_associated_projects_in_group_runner_inheriting_group_runners }.policy do + enable :read_runner + end + + rule { admin | owned_runner }.policy do + enable :assign_runner enable :update_runner enable :delete_runner end |