diff options
Diffstat (limited to 'app/policies/project_policy.rb')
-rw-r--r-- | app/policies/project_policy.rb | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 6135523a2f8..aaf985d6c63 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -30,6 +30,9 @@ class ProjectPolicy < BasePolicy desc "User has maintainer access" condition(:maintainer) { team_access_level >= Gitlab::Access::MAINTAINER } + desc "User is a project bot" + condition(:project_bot) { user.project_bot? && team_member? } + desc "Project is public" condition(:public_project, scope: :subject, score: 0) { project.public? } @@ -79,7 +82,7 @@ class ProjectPolicy < BasePolicy with_scope :subject condition(:metrics_dashboard_allowed) do - feature_available?(:metrics_dashboard) + access_allowed_to?(:metrics_dashboard) end with_scope :global @@ -158,7 +161,7 @@ class ProjectPolicy < BasePolicy features.each do |f| # these are scored high because they are unlikely desc "Project has #{f} disabled" - condition(:"#{f}_disabled", score: 32) { !feature_available?(f.to_sym) } + condition(:"#{f}_disabled", score: 32) { !access_allowed_to?(f.to_sym) } end # `:read_project` may be prevented in EE, but `:read_project_for_iids` should @@ -583,6 +586,10 @@ class ProjectPolicy < BasePolicy enable :read_issue_link end + rule { can?(:developer_access) }.policy do + enable :read_security_configuration + end + # Design abilities could also be prevented in the issue policy. rule { design_management_disabled }.policy do prevent :read_design @@ -621,10 +628,14 @@ class ProjectPolicy < BasePolicy prevent :read_project end + rule { project_bot }.enable :project_bot_access + rule { resource_access_token_available & can?(:admin_project) }.policy do enable :admin_resource_access_tokens end + rule { can?(:project_bot_access) }.prevent :admin_resource_access_tokens + rule { user_defined_variables_allowed | can?(:maintainer_access) }.policy do enable :set_pipeline_variables end @@ -690,7 +701,7 @@ class ProjectPolicy < BasePolicy project.team.max_member_access(@user.id) end - def feature_available?(feature) + def access_allowed_to?(feature) return false unless project.project_feature case project.project_feature.access_level(feature) |