Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app/policies/project_policy.rb
diff options
context:
space:
mode:
Diffstat (limited to 'app/policies/project_policy.rb')
-rw-r--r--app/policies/project_policy.rb28
1 files changed, 26 insertions, 2 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 7c439fe8b29..cba88d6d913 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -54,7 +54,13 @@ class ProjectPolicy < BasePolicy
desc "Container registry is disabled"
condition(:container_registry_disabled, scope: :subject) do
- !access_allowed_to?(:container_registry)
+ if user.is_a?(DeployToken)
+ (!user.read_registry? && !user.write_registry?) ||
+ user.revoked? ||
+ !project.container_registry_enabled?
+ else
+ !access_allowed_to?(:container_registry)
+ end
end
desc "Container registry is enabled for everyone with access to the project"
@@ -83,6 +89,16 @@ class ProjectPolicy < BasePolicy
user.is_a?(DeployKey) && user.can_push_to?(project)
end
+ desc "Deploy token with read_container_image scope"
+ condition(:read_container_image_deploy_token) do
+ user.is_a?(DeployToken) && user.has_access_to?(project) && user.read_registry?
+ end
+
+ desc "Deploy token with create_container_image scope"
+ condition(:create_container_image_deploy_token) do
+ user.is_a?(DeployToken) && user.has_access_to?(project) && user.write_registry?
+ end
+
desc "Deploy token with read_package_registry scope"
condition(:read_package_registry_deploy_token) do
user.is_a?(DeployToken) && user.has_access_to?(project) && user.read_package_registry
@@ -298,7 +314,6 @@ class ProjectPolicy < BasePolicy
enable :read_deployment
enable :read_merge_request
enable :read_sentry_issue
- enable :update_sentry_issue
enable :read_prometheus
enable :read_metrics_dashboard_annotation
enable :metrics_dashboard
@@ -413,6 +428,7 @@ class ProjectPolicy < BasePolicy
enable :admin_feature_flags_user_lists
enable :update_escalation_status
enable :read_secure_files
+ enable :update_sentry_issue
end
rule { can?(:developer_access) & user_confirmed? }.policy do
@@ -685,6 +701,14 @@ class ProjectPolicy < BasePolicy
enable :push_code
end
+ rule { read_container_image_deploy_token }.policy do
+ enable :read_container_image
+ end
+
+ rule { create_container_image_deploy_token }.policy do
+ enable :create_container_image
+ end
+
rule { read_package_registry_deploy_token }.policy do
enable :read_package
enable :read_project
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-02 20:37:37 +0300