diff options
Diffstat (limited to 'app/policies/group_policy.rb')
| -rw-r--r-- | app/policies/group_policy.rb | 68 |
1 files changed, 53 insertions, 15 deletions
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 6cc65248914..285721de387 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -36,7 +36,20 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy condition(:request_access_enabled) { @subject.request_access_enabled } condition(:create_projects_disabled, scope: :subject) do - @subject.project_creation_level == ::Gitlab::Access::NO_ONE_PROJECT_ACCESS + next true if @user.nil? + + visibility_levels = if @user.can_admin_all_resources? + # admin can create projects even with restricted visibility levels + Gitlab::VisibilityLevel.values + else + Gitlab::VisibilityLevel.allowed_levels + end + + allowed_visibility_levels = visibility_levels.select do |level| + Project.new(namespace: @subject).visibility_level_allowed?(level) + end + + @subject.project_creation_level == ::Gitlab::Access::NO_ONE_PROJECT_ACCESS || allowed_visibility_levels.empty? end condition(:developer_maintainer_access, scope: :subject) do @@ -85,11 +98,15 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy condition(:crm_enabled, score: 0, scope: :subject) { @subject.crm_enabled? } condition(:create_runner_workflow_enabled) do - Feature.enabled?(:create_runner_workflow) + Feature.enabled?(:create_runner_workflow_for_namespace, group) + end + + condition(:achievements_enabled, scope: :subject) do + Feature.enabled?(:achievements, @subject) end condition(:group_runner_registration_allowed, scope: :subject) do - Gitlab::CurrentSettings.valid_runner_registrars.include?('group') && @subject.runner_registration_enabled? + @subject.runner_registration_enabled? end rule { can?(:read_group) & design_management_enabled }.policy do @@ -131,9 +148,17 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_group_member enable :read_custom_emoji enable :read_counts + end + + rule { achievements_enabled }.policy do enable :read_achievement end + rule { can?(:maintainer_access) & achievements_enabled }.policy do + enable :admin_achievement + enable :award_achievement + end + rule { ~public_group & ~has_access }.prevent :read_counts rule { ~can_read_group_member }.policy do @@ -147,17 +172,16 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy rule { has_access }.enable :read_namespace rule { developer }.policy do - enable :create_metrics_dashboard_annotation - enable :delete_metrics_dashboard_annotation - enable :update_metrics_dashboard_annotation + enable :admin_metrics_dashboard_annotation enable :create_custom_emoji enable :create_package enable :developer_access enable :admin_crm_organization enable :admin_crm_contact - enable :read_cluster - + enable :read_cluster # Deprecated as certificate-based cluster integration (`Clusters::Cluster`). + enable :read_cluster_agent enable :read_group_all_available_runners + enable :use_k8s_proxies end rule { reporter }.policy do @@ -180,6 +204,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :destroy_package enable :admin_package enable :create_projects + enable :import_projects enable :admin_pipeline enable :admin_build enable :add_cluster @@ -191,7 +216,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :maintainer_access enable :read_upload enable :destroy_upload - enable :admin_achievement end rule { owner }.policy do @@ -204,7 +228,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_group_runners enable :admin_group_runners enable :register_group_runners - enable :create_group_runners + enable :create_runner enable :set_note_created_at enable :set_emails_disabled @@ -246,17 +270,25 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy rule { ~can?(:view_globally) }.prevent :request_access rule { has_access }.prevent :request_access - rule { owner & (~share_with_group_locked | ~has_parent | ~parent_share_with_group_locked | can_change_parent_share_with_group_lock) }.enable :change_share_with_group_lock + rule do + owner & (~share_with_group_locked | ~has_parent | ~parent_share_with_group_locked | can_change_parent_share_with_group_lock) + end.enable :change_share_with_group_lock rule { developer & developer_maintainer_access }.enable :create_projects - rule { create_projects_disabled }.prevent :create_projects + rule { create_projects_disabled }.policy do + prevent :create_projects + prevent :import_projects + end rule { owner | admin }.policy do enable :owner_access enable :read_statistics end - rule { maintainer & can?(:create_projects) }.enable :transfer_projects + rule { maintainer & can?(:create_projects) }.policy do + enable :transfer_projects + enable :import_projects + end rule { read_package_registry_deploy_token }.policy do enable :read_package @@ -289,10 +321,12 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy rule { resource_access_token_creation_allowed & can?(:read_resource_access_tokens) }.policy do enable :create_resource_access_tokens + enable :manage_resource_access_tokens end rule { can?(:project_bot_access) }.policy do prevent :create_resource_access_tokens + prevent :manage_resource_access_tokens end rule { can?(:admin_group_member) }.policy do @@ -313,7 +347,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy rule { ~admin & ~group_runner_registration_allowed }.policy do prevent :register_group_runners - prevent :create_group_runners + prevent :create_runner end rule { migration_bot }.policy do @@ -325,8 +359,12 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_observability end + rule { can?(:maintainer_access) & observability_enabled }.policy do + enable :admin_observability + end + rule { ~create_runner_workflow_enabled }.policy do - prevent :create_group_runners + prevent :create_runner end # Should be matched with ProjectPolicy#read_internal_note |