diff options
Diffstat (limited to 'app/policies/project_policy.rb')
-rw-r--r-- | app/policies/project_policy.rb | 19 |
1 files changed, 9 insertions, 10 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index bbb0e3df500..255538c538a 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -154,9 +154,6 @@ class ProjectPolicy < BasePolicy end with_scope :subject - condition(:restrict_job_token_enabled) { Feature.enabled?(:restrict_ci_job_token_for_public_and_internal_projects, @subject) } - - with_scope :subject condition(:forking_allowed) do @subject.feature_available?(:forking, @user) end @@ -194,7 +191,9 @@ class ProjectPolicy < BasePolicy end with_scope :subject - condition(:model_registry_enabled) { Feature.enabled?(:model_registry, @subject) } + condition(:model_registry_enabled) do + Feature.enabled?(:model_registry, @subject) && @subject.feature_available?(:model_registry, @user) + end with_scope :subject condition(:resource_access_token_feature_available) do @@ -709,7 +708,7 @@ class ProjectPolicy < BasePolicy rule { ~public_project & ~internal_access & ~project_allowed_for_job_token }.prevent_all # If this project is public or internal we want to prevent all aside from a few public policies - rule { public_or_internal & ~project_allowed_for_job_token & restrict_job_token_enabled }.policy do + rule { public_or_internal & ~project_allowed_for_job_token }.policy do prevent :guest_access prevent :public_access prevent :public_user_access @@ -719,25 +718,25 @@ class ProjectPolicy < BasePolicy prevent :owner_access end - rule { public_or_internal & job_token_container_registry & restrict_job_token_enabled }.policy do + rule { public_or_internal & job_token_container_registry }.policy do enable :build_read_container_image enable :read_container_image end - rule { public_or_internal & job_token_package_registry & restrict_job_token_enabled }.policy do + rule { public_or_internal & job_token_package_registry }.policy do enable :read_package enable :read_project end - rule { public_or_internal & job_token_builds & restrict_job_token_enabled }.policy do + rule { public_or_internal & job_token_builds }.policy do enable :read_commit_status # this is additionally needed to download artifacts end - rule { public_or_internal & job_token_releases & restrict_job_token_enabled }.policy do + rule { public_or_internal & job_token_releases }.policy do enable :read_release end - rule { public_or_internal & job_token_environments & restrict_job_token_enabled }.policy do + rule { public_or_internal & job_token_environments }.policy do enable :read_environment end |