diff options
Diffstat (limited to 'app/policies/global_policy.rb')
-rw-r--r-- | app/policies/global_policy.rb | 18 |
1 files changed, 12 insertions, 6 deletions
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index d028738ccc9..b96ad9a73c8 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -22,10 +22,12 @@ class GlobalPolicy < BasePolicy condition(:project_bot, scope: :user) { @user&.project_bot? } condition(:migration_bot, scope: :user) { @user&.migration_bot? } - condition(:create_runner_workflow_enabled) do - Feature.enabled?(:create_runner_workflow) + condition(:create_runner_workflow_enabled, scope: :user) do + Feature.enabled?(:create_runner_workflow_for_admin, @user) end + condition(:service_account, scope: :user) { @user&.service_account? } + rule { anonymous }.policy do prevent :log_in prevent :receive_notifications @@ -60,11 +62,15 @@ class GlobalPolicy < BasePolicy rule { ~can?(:access_api) }.prevent :execute_graphql_mutation - rule { blocked | (internal & ~migration_bot & ~security_bot) }.policy do + rule { blocked | (internal & ~migration_bot & ~security_bot & ~security_policy_bot) }.policy do prevent :access_git end - rule { project_bot }.policy do + rule { security_policy_bot }.policy do + enable :access_git + end + + rule { project_bot | service_account }.policy do prevent :log_in prevent :receive_notifications end @@ -119,11 +125,11 @@ class GlobalPolicy < BasePolicy enable :approve_user enable :reject_user enable :read_usage_trends_measurement - enable :create_instance_runners + enable :create_instance_runner end rule { ~create_runner_workflow_enabled }.policy do - prevent :create_instance_runners + prevent :create_instance_runner end # We can't use `read_statistics` because the user may have different permissions for different projects |