Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app/policies
diff options
context:
space:
mode:
Diffstat (limited to 'app/policies')
-rw-r--r--app/policies/analytics/instance_statistics/measurement_policy.rb9
-rw-r--r--app/policies/ci/build_policy.rb11
-rw-r--r--app/policies/global_policy.rb1
-rw-r--r--app/policies/group_member_policy.rb6
-rw-r--r--app/policies/group_policy.rb5
-rw-r--r--app/policies/namespace/package_setting_policy.rb5
-rw-r--r--app/policies/namespace_policy.rb2
-rw-r--r--app/policies/packages/composer/metadatum_policy.rb8
-rw-r--r--app/policies/packages/tag_policy.rb6
-rw-r--r--app/policies/project_policy.rb9
10 files changed, 60 insertions, 2 deletions
diff --git a/app/policies/analytics/instance_statistics/measurement_policy.rb b/app/policies/analytics/instance_statistics/measurement_policy.rb
new file mode 100644
index 00000000000..3d6a5a08ff6
--- /dev/null
+++ b/app/policies/analytics/instance_statistics/measurement_policy.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Analytics
+ module InstanceStatistics
+ class MeasurementPolicy < BasePolicy
+ delegate { :global }
+ end
+ end
+end
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index 7e69e1fdd88..65f2a70672b 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -37,6 +37,10 @@ module Ci
@subject.archived?
end
+ condition(:artifacts_public, scope: :subject) do
+ @subject.artifacts_public?
+ end
+
condition(:terminal, scope: :subject) do
@subject.has_terminal?
end
@@ -57,6 +61,10 @@ module Ci
can?(:update_build, @subject.project)
end
+ condition(:project_developer) do
+ can?(:developer_access, @subject.project)
+ end
+
rule { project_read_build }.enable :read_build_trace
rule { debug_mode & ~project_update_build }.prevent :read_build_trace
@@ -94,6 +102,9 @@ module Ci
rule { ~can?(:build_service_proxy_enabled) }.policy do
prevent :create_build_service_proxy
end
+
+ rule { project_read_build }.enable :read_job_artifacts
+ rule { ~artifacts_public & ~project_developer }.prevent :read_job_artifacts
end
end
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index b5c1ec0181e..9c79a797a6a 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -100,6 +100,7 @@ class GlobalPolicy < BasePolicy
enable :update_custom_attribute
enable :approve_user
enable :reject_user
+ enable :read_instance_statistics_measurements
end
# We can't use `read_statistics` because the user may have different permissions for different projects
diff --git a/app/policies/group_member_policy.rb b/app/policies/group_member_policy.rb
index 78a2be7a9f8..09cac96e3a5 100644
--- a/app/policies/group_member_policy.rb
+++ b/app/policies/group_member_policy.rb
@@ -10,7 +10,11 @@ class GroupMemberPolicy < BasePolicy
with_score 0
condition(:is_target_user) { @user && @subject.user_id == @user.id }
- rule { anonymous }.prevent_all
+ rule { anonymous }.policy do
+ prevent :update_group_member
+ prevent :destroy_group_member
+ end
+
rule { last_owner }.policy do
prevent :update_group_member
prevent :destroy_group_member
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 7d0db222eaf..7dd88fcc1ff 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -66,7 +66,7 @@ class GroupPolicy < BasePolicy
with_scope :subject
condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? }
- rule { design_management_enabled }.policy do
+ rule { can?(:read_group) & design_management_enabled }.policy do
enable :read_design_activity
end
@@ -116,17 +116,20 @@ class GroupPolicy < BasePolicy
enable :delete_metrics_dashboard_annotation
enable :update_metrics_dashboard_annotation
enable :create_custom_emoji
+ enable :create_package_settings
end
rule { reporter }.policy do
enable :reporter_access
enable :read_container_image
+ enable :admin_board
enable :admin_label
enable :admin_list
enable :admin_issue
enable :read_metrics_dashboard_annotation
enable :read_prometheus
enable :read_package
+ enable :read_package_settings
end
rule { maintainer }.policy do
diff --git a/app/policies/namespace/package_setting_policy.rb b/app/policies/namespace/package_setting_policy.rb
new file mode 100644
index 00000000000..7fe388c633e
--- /dev/null
+++ b/app/policies/namespace/package_setting_policy.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class Namespace::PackageSettingPolicy < BasePolicy
+ delegate { @subject.namespace }
+end
diff --git a/app/policies/namespace_policy.rb b/app/policies/namespace_policy.rb
index b1d680b4264..13eb4a13cac 100644
--- a/app/policies/namespace_policy.rb
+++ b/app/policies/namespace_policy.rb
@@ -14,6 +14,8 @@ class NamespacePolicy < BasePolicy
enable :read_namespace
enable :read_statistics
enable :create_jira_connect_subscription
+ enable :create_package_settings
+ enable :read_package_settings
end
rule { personal_project & ~can_create_personal_project }.prevent :create_projects
diff --git a/app/policies/packages/composer/metadatum_policy.rb b/app/policies/packages/composer/metadatum_policy.rb
new file mode 100644
index 00000000000..66bac31f48f
--- /dev/null
+++ b/app/policies/packages/composer/metadatum_policy.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+module Packages
+ module Composer
+ class MetadatumPolicy < BasePolicy
+ delegate { @subject.package }
+ end
+ end
+end
diff --git a/app/policies/packages/tag_policy.rb b/app/policies/packages/tag_policy.rb
new file mode 100644
index 00000000000..84bad30470a
--- /dev/null
+++ b/app/policies/packages/tag_policy.rb
@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+module Packages
+ class TagPolicy < BasePolicy
+ delegate { @subject.package }
+ end
+end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 3b8c59c6bf8..03cb53f55be 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -135,6 +135,10 @@ class ProjectPolicy < BasePolicy
::Feature.enabled?(:build_service_proxy, @subject)
end
+ condition(:user_defined_variables_allowed) do
+ !@subject.restrict_user_defined_variables?
+ end
+
with_scope :subject
condition(:packages_disabled) { !@subject.packages_enabled }
@@ -236,6 +240,7 @@ class ProjectPolicy < BasePolicy
enable :read_commit_status
enable :read_build
enable :read_container_image
+ enable :read_deploy_board
enable :read_pipeline
enable :read_pipeline_schedule
enable :read_environment
@@ -615,6 +620,10 @@ class ProjectPolicy < BasePolicy
enable :admin_resource_access_tokens
end
+ rule { user_defined_variables_allowed | can?(:maintainer_access) }.policy do
+ enable :set_pipeline_variables
+ end
+
private
def user_is_user?
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-04 23:45:56 +0300