diff options
Diffstat (limited to 'app/policies/project_policy.rb')
-rw-r--r-- | app/policies/project_policy.rb | 27 |
1 files changed, 22 insertions, 5 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index de80f2f72b8..c577c8c8471 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -108,7 +108,8 @@ class ProjectPolicy < BasePolicy condition(:service_desk_enabled) { @subject.service_desk_enabled? } with_scope :subject - condition(:resource_access_token_available) { resource_access_token_available? } + condition(:resource_access_token_feature_available) { resource_access_token_feature_available? } + condition(:resource_access_token_creation_allowed) { resource_access_token_creation_allowed? } # We aren't checking `:read_issue` or `:read_merge_request` in this case # because it could be possible for a user to see an issuable-iid @@ -259,6 +260,7 @@ class ProjectPolicy < BasePolicy enable :read_confidential_issues enable :read_package enable :read_product_analytics + enable :read_group_timelogs end # We define `:public_user_access` separately because there are cases in gitlab-ee @@ -631,11 +633,18 @@ class ProjectPolicy < BasePolicy rule { project_bot }.enable :project_bot_access - rule { resource_access_token_available & can?(:admin_project) }.policy do - enable :admin_resource_access_tokens + rule { can?(:admin_project) & resource_access_token_feature_available }.policy do + enable :read_resource_access_tokens + enable :destroy_resource_access_tokens end - rule { can?(:project_bot_access) }.prevent :admin_resource_access_tokens + rule { can?(:read_resource_access_tokens) & resource_access_token_creation_allowed }.policy do + enable :create_resource_access_tokens + end + + rule { can?(:project_bot_access) }.policy do + prevent :create_resource_access_tokens + end rule { user_defined_variables_allowed | can?(:maintainer_access) }.policy do enable :set_pipeline_variables @@ -719,10 +728,18 @@ class ProjectPolicy < BasePolicy end end - def resource_access_token_available? + def resource_access_token_feature_available? true end + def resource_access_token_creation_allowed? + group = project.group + + return true unless group # always enable for projects in personal namespaces + + resource_access_token_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed? + end + def project @subject end |