Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app/policies/project_policy.rb
diff options
context:
space:
mode:
Diffstat (limited to 'app/policies/project_policy.rb')
-rw-r--r--app/policies/project_policy.rb27
1 files changed, 22 insertions, 5 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index de80f2f72b8..c577c8c8471 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -108,7 +108,8 @@ class ProjectPolicy < BasePolicy
condition(:service_desk_enabled) { @subject.service_desk_enabled? }
with_scope :subject
- condition(:resource_access_token_available) { resource_access_token_available? }
+ condition(:resource_access_token_feature_available) { resource_access_token_feature_available? }
+ condition(:resource_access_token_creation_allowed) { resource_access_token_creation_allowed? }
# We aren't checking `:read_issue` or `:read_merge_request` in this case
# because it could be possible for a user to see an issuable-iid
@@ -259,6 +260,7 @@ class ProjectPolicy < BasePolicy
enable :read_confidential_issues
enable :read_package
enable :read_product_analytics
+ enable :read_group_timelogs
end
# We define `:public_user_access` separately because there are cases in gitlab-ee
@@ -631,11 +633,18 @@ class ProjectPolicy < BasePolicy
rule { project_bot }.enable :project_bot_access
- rule { resource_access_token_available & can?(:admin_project) }.policy do
- enable :admin_resource_access_tokens
+ rule { can?(:admin_project) & resource_access_token_feature_available }.policy do
+ enable :read_resource_access_tokens
+ enable :destroy_resource_access_tokens
end
- rule { can?(:project_bot_access) }.prevent :admin_resource_access_tokens
+ rule { can?(:read_resource_access_tokens) & resource_access_token_creation_allowed }.policy do
+ enable :create_resource_access_tokens
+ end
+
+ rule { can?(:project_bot_access) }.policy do
+ prevent :create_resource_access_tokens
+ end
rule { user_defined_variables_allowed | can?(:maintainer_access) }.policy do
enable :set_pipeline_variables
@@ -719,10 +728,18 @@ class ProjectPolicy < BasePolicy
end
end
- def resource_access_token_available?
+ def resource_access_token_feature_available?
true
end
+ def resource_access_token_creation_allowed?
+ group = project.group
+
+ return true unless group # always enable for projects in personal namespaces
+
+ resource_access_token_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed?
+ end
+
def project
@subject
end
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-16 10:56:21 +0300