diff options
Diffstat (limited to 'app/policies/project_policy.rb')
| -rw-r--r-- | app/policies/project_policy.rb | 83 |
1 files changed, 59 insertions, 24 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 3d22002e828..47d8d0eef3e 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -38,6 +38,9 @@ class ProjectPolicy < BasePolicy desc "User is a project bot" condition(:project_bot) { user.project_bot? && team_member? } + desc "User is a security policy bot on the project" + condition(:security_policy_bot) { user&.security_policy_bot? && team_member? } + desc "Project is public" condition(:public_project, scope: :subject, score: 0) { project.public? } @@ -49,6 +52,9 @@ class ProjectPolicy < BasePolicy desc "User is a member of the group" condition(:group_member, scope: :subject) { project_group_member? } + desc "User is a requester of the group" + condition(:group_requester, scope: :subject) { project_group_requester? } + desc "Project is archived" condition(:archived, scope: :subject, score: 0) { project.archived? } @@ -222,8 +228,8 @@ class ProjectPolicy < BasePolicy condition(:"#{f}_disabled", score: 32) { !access_allowed_to?(f.to_sym) } end - condition(:project_runner_registration_allowed) do - Gitlab::CurrentSettings.valid_runner_registrars.include?('project') + condition(:project_runner_registration_allowed, scope: :subject) do + Gitlab::CurrentSettings.valid_runner_registrars.include?('project') && @subject.runner_registration_enabled end condition :registry_enabled do @@ -234,10 +240,16 @@ class ProjectPolicy < BasePolicy Gitlab.config.packages.enabled end + condition :terraform_state_disabled do + !Gitlab.config.terraform_state.enabled + end + condition(:create_runner_workflow_enabled) do - Feature.enabled?(:create_runner_workflow) + Feature.enabled?(:create_runner_workflow_for_namespace, project.namespace) end + condition(:namespace_catalog_available) { namespace_catalog_available? } + # `:read_project` may be prevented in EE, but `:read_project_for_iids` should # not. rule { guest | admin }.enable :read_project_for_iids @@ -274,9 +286,6 @@ class ProjectPolicy < BasePolicy enable :set_show_default_award_emojis enable :set_show_diff_preview_in_email enable :set_warn_about_potentially_unwanted_characters - - enable :register_project_runners - enable :create_project_runners enable :manage_owners end @@ -349,10 +358,10 @@ class ProjectPolicy < BasePolicy enable :metrics_dashboard enable :read_confidential_issues enable :read_package - enable :read_product_analytics enable :read_ci_cd_analytics enable :read_external_emails enable :read_grafana + enable :export_work_items end # We define `:public_user_access` separately because there are cases in gitlab-ee @@ -404,11 +413,15 @@ class ProjectPolicy < BasePolicy end rule { infrastructure_disabled }.policy do - prevent(*create_read_update_admin_destroy(:terraform_state)) prevent(*create_read_update_admin_destroy(:cluster)) prevent(:read_pod_logs) prevent(:read_prometheus) prevent(:admin_project_google_cloud) + prevent(:admin_project_aws) + end + + rule { infrastructure_disabled | terraform_state_disabled }.policy do + prevent(*create_read_update_admin_destroy(:terraform_state)) end rule { can?(:metrics_dashboard) }.policy do @@ -424,10 +437,11 @@ class ProjectPolicy < BasePolicy prevent(*create_read_update_admin_destroy(:package)) end - rule { owner | admin | guest | group_member }.prevent :request_access + rule { owner | admin | guest | group_member | group_requester }.prevent :request_access rule { ~request_access_enabled }.prevent :request_access rule { can?(:developer_access) & can?(:create_issue) }.enable :import_issues + rule { can?(:reporter_access) & can?(:create_work_item) }.enable :import_work_items rule { can?(:developer_access) }.policy do enable :create_package @@ -453,16 +467,17 @@ class ProjectPolicy < BasePolicy enable :destroy_environment enable :create_deployment enable :update_deployment - enable :read_cluster + enable :read_cluster # Deprecated as certificate-based cluster integration (`Clusters::Cluster`). + enable :read_cluster_agent + enable :use_k8s_proxies enable :create_release enable :update_release enable :destroy_release - enable :create_metrics_dashboard_annotation - enable :delete_metrics_dashboard_annotation - enable :update_metrics_dashboard_annotation + enable :admin_metrics_dashboard_annotation enable :read_alert_management_alert enable :update_alert_management_alert enable :create_design + enable :update_design enable :move_design enable :destroy_design enable :read_terraform_state @@ -476,7 +491,6 @@ class ProjectPolicy < BasePolicy enable :update_escalation_status enable :read_secure_files enable :update_sentry_issue - enable :read_airflow_dags end rule { can?(:developer_access) & user_confirmed? }.policy do @@ -527,11 +541,13 @@ class ProjectPolicy < BasePolicy enable :destroy_freeze_period enable :admin_feature_flags_client enable :register_project_runners - enable :create_project_runners + enable :create_runner + enable :admin_project_runners + enable :read_project_runners enable :update_runners_registration_token enable :admin_project_google_cloud + enable :admin_project_aws enable :admin_secure_files - enable :read_web_hooks enable :read_upload enable :destroy_upload enable :admin_incident_management_timeline_event_tag @@ -751,6 +767,7 @@ class ProjectPolicy < BasePolicy prevent :read_design prevent :read_design_activity prevent :create_design + prevent :update_design prevent :destroy_design prevent :move_design end @@ -779,6 +796,7 @@ class ProjectPolicy < BasePolicy rule { write_package_registry_deploy_token }.policy do enable :create_package enable :read_package + enable :destroy_package enable :read_project end @@ -812,6 +830,7 @@ class ProjectPolicy < BasePolicy rule { can?(:admin_project) & resource_access_token_feature_available & resource_access_token_creation_allowed }.policy do enable :create_resource_access_tokens + enable :manage_resource_access_tokens end rule { can?(:admin_project) }.policy do @@ -820,6 +839,7 @@ class ProjectPolicy < BasePolicy rule { can?(:project_bot_access) }.policy do prevent :create_resource_access_tokens + prevent :manage_resource_access_tokens end rule { user_defined_variables_allowed | can?(:maintainer_access) }.policy do @@ -832,7 +852,7 @@ class ProjectPolicy < BasePolicy rule { ~admin & ~project_runner_registration_allowed }.policy do prevent :register_project_runners - prevent :create_project_runners + prevent :create_runner end rule { can?(:admin_project_member) }.policy do @@ -858,12 +878,20 @@ class ProjectPolicy < BasePolicy end rule { ~create_runner_workflow_enabled }.policy do - prevent :create_project_runners + prevent :create_runner end # Should be matched with GroupPolicy#read_internal_note rule { admin | can?(:reporter_access) }.enable :read_internal_note + rule { can?(:developer_access) & namespace_catalog_available }.policy do + enable :read_namespace_catalog + end + + rule { can?(:owner_access) & namespace_catalog_available }.policy do + enable :add_catalog_resource + end + private def user_is_user? @@ -897,16 +925,19 @@ class ProjectPolicy < BasePolicy end end - # rubocop: disable CodeReuse/ActiveRecord def project_group_member? return false if @user.nil? return false unless user_is_user? - project.group && - ( - project.group.members_with_parents.exists?(user_id: @user.id) || - project.group.requesters.exists?(user_id: @user.id) - ) + project.group && project.group.member?(@user) + end + + # rubocop: disable CodeReuse/ActiveRecord + def project_group_requester? + return false if @user.nil? + return false unless user_is_user? + + project.group && project.group.requesters.exists?(user_id: @user.id) end # rubocop: enable CodeReuse/ActiveRecord @@ -957,6 +988,10 @@ class ProjectPolicy < BasePolicy def project @subject end + + def namespace_catalog_available? + false + end end ProjectPolicy.prepend_mod_with('ProjectPolicy') |