diff options
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/base_policy.rb | 6 | ||||
-rw-r--r-- | app/policies/concerns/find_group_projects.rb | 4 | ||||
-rw-r--r-- | app/policies/concerns/policy_actor.rb | 4 | ||||
-rw-r--r-- | app/policies/global_policy.rb | 3 | ||||
-rw-r--r-- | app/policies/group_policy.rb | 17 | ||||
-rw-r--r-- | app/policies/merge_request_policy.rb | 4 | ||||
-rw-r--r-- | app/policies/packages/package_policy.rb | 6 | ||||
-rw-r--r-- | app/policies/project_member_policy.rb | 5 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 28 | ||||
-rw-r--r-- | app/policies/releases/source_policy.rb | 6 |
10 files changed, 73 insertions, 10 deletions
diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb index 2c26ba565ab..13d732e4edd 100644 --- a/app/policies/base_policy.rb +++ b/app/policies/base_policy.rb @@ -21,6 +21,10 @@ class BasePolicy < DeclarativePolicy::Base with_options scope: :user, score: 0 condition(:deactivated) { @user&.deactivated? } + desc "User is support bot" + with_options scope: :user, score: 0 + condition(:support_bot) { @user&.support_bot? } + desc "User email is unconfirmed or user account is locked" with_options scope: :user, score: 0 condition(:inactive) do @@ -54,6 +58,8 @@ class BasePolicy < DeclarativePolicy::Base rule { admin }.enable :read_all_resources rule { default }.enable :read_cross_project + + condition(:is_gitlab_com) { ::Gitlab.dev_env_or_com? } end BasePolicy.prepend_if_ee('EE::BasePolicy') diff --git a/app/policies/concerns/find_group_projects.rb b/app/policies/concerns/find_group_projects.rb index e2cb90079c7..aad9081bd7d 100644 --- a/app/policies/concerns/find_group_projects.rb +++ b/app/policies/concerns/find_group_projects.rb @@ -3,11 +3,11 @@ module FindGroupProjects extend ActiveSupport::Concern - def group_projects_for(user:, group:) + def group_projects_for(user:, group:, only_owned: true) GroupProjectsFinder.new( group: group, current_user: user, - options: { include_subgroups: true, only_owned: true } + options: { include_subgroups: true, only_owned: only_owned } ).execute end end diff --git a/app/policies/concerns/policy_actor.rb b/app/policies/concerns/policy_actor.rb index f910e04d015..3073a2e5d10 100644 --- a/app/policies/concerns/policy_actor.rb +++ b/app/policies/concerns/policy_actor.rb @@ -45,6 +45,10 @@ module PolicyActor false end + def support_bot? + false + end + def deactivated? false end diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index 03f5a863421..c66f0d199b0 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -105,6 +105,9 @@ class GlobalPolicy < BasePolicy enable :update_custom_attribute end + # We can't use `read_statistics` because the user may have different permissions for different projects + rule { admin }.enable :use_project_statistics_filters + rule { external_user }.prevent :create_snippet end diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index b1b52d62b85..62f66093875 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -42,6 +42,14 @@ class GroupPolicy < BasePolicy @subject.subgroup_creation_level == ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS end + condition(:design_management_enabled) do + group_projects_for(user: @user, group: @subject, only_owned: false).any? { |p| p.design_management_enabled? } + end + + rule { design_management_enabled }.policy do + enable :read_design_activity + end + rule { public_group }.policy do enable :read_group enable :read_package @@ -59,6 +67,10 @@ class GroupPolicy < BasePolicy enable :update_max_artifacts_size end + rule { can?(:read_all_resources) }.policy do + enable :read_confidential_issues + end + rule { has_projects }.policy do enable :read_group end @@ -70,6 +82,10 @@ class GroupPolicy < BasePolicy enable :read_board end + rule { ~can?(:read_group) }.policy do + prevent :read_design_activity + end + rule { has_access }.enable :read_namespace rule { developer }.policy do @@ -87,6 +103,7 @@ class GroupPolicy < BasePolicy enable :admin_list enable :admin_issue enable :read_metrics_dashboard_annotation + enable :read_prometheus end rule { maintainer }.policy do diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb index e2aca2a37d5..e5ac228b0ee 100644 --- a/app/policies/merge_request_policy.rb +++ b/app/policies/merge_request_policy.rb @@ -10,6 +10,10 @@ class MergeRequestPolicy < IssuablePolicy # it would not be safe to prevent :create_note there, since # note permissions are shared, and this would apply too broadly. rule { ~can?(:read_merge_request) }.prevent :create_note + + rule { can?(:update_merge_request) }.policy do + enable :approve_merge_request + end end MergeRequestPolicy.prepend_if_ee('EE::MergeRequestPolicy') diff --git a/app/policies/packages/package_policy.rb b/app/policies/packages/package_policy.rb new file mode 100644 index 00000000000..8eef280c640 --- /dev/null +++ b/app/policies/packages/package_policy.rb @@ -0,0 +1,6 @@ +# frozen_string_literal: true +module Packages + class PackagePolicy < BasePolicy + delegate { @subject.project } + end +end diff --git a/app/policies/project_member_policy.rb b/app/policies/project_member_policy.rb index f2f18406bd3..ca33b95e523 100644 --- a/app/policies/project_member_policy.rb +++ b/app/policies/project_member_policy.rb @@ -5,14 +5,17 @@ class ProjectMemberPolicy < BasePolicy condition(:target_is_owner, scope: :subject) { @subject.user == @subject.project.owner } condition(:target_is_self) { @user && @subject.user == @user } + condition(:project_bot) { @subject.user&.project_bot? } rule { anonymous }.prevent_all rule { target_is_owner }.prevent_all - rule { can?(:admin_project_member) }.policy do + rule { ~project_bot & can?(:admin_project_member) }.policy do enable :update_project_member enable :destroy_project_member end + rule { project_bot & can?(:admin_project_member) }.enable :destroy_project_bot_member + rule { target_is_self }.enable :destroy_project_member end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index f87c72007ec..39b39bd2fce 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -123,6 +123,9 @@ class ProjectPolicy < BasePolicy !@subject.design_management_enabled? end + with_scope :subject + condition(:service_desk_enabled) { @subject.service_desk_enabled? } + # We aren't checking `:read_issue` or `:read_merge_request` in this case # because it could be possible for a user to see an issuable-iid # (`:read_issue_iid` or `:read_merge_request_iid`) but then wouldn't be @@ -151,6 +154,9 @@ class ProjectPolicy < BasePolicy ::Feature.enabled?(:build_service_proxy, @subject) end + with_scope :subject + condition(:packages_disabled) { !@subject.packages_enabled } + features = %w[ merge_requests issues @@ -173,6 +179,7 @@ class ProjectPolicy < BasePolicy rule { guest | admin }.enable :read_project_for_iids rule { admin }.enable :update_max_artifacts_size + rule { can?(:read_all_resources) }.enable :read_confidential_issues rule { guest }.enable :guest_access rule { reporter }.enable :reporter_access @@ -254,6 +261,8 @@ class ProjectPolicy < BasePolicy enable :read_prometheus enable :read_metrics_dashboard_annotation enable :metrics_dashboard + enable :read_confidential_issues + enable :read_package end # We define `:public_user_access` separately because there are cases in gitlab-ee @@ -290,12 +299,17 @@ class ProjectPolicy < BasePolicy enable :read_metrics_user_starred_dashboard end + rule { packages_disabled | repository_disabled }.policy do + prevent(*create_read_update_admin_destroy(:package)) + end + rule { owner | admin | guest | group_member }.prevent :request_access rule { ~request_access_enabled }.prevent :request_access rule { can?(:developer_access) & can?(:create_issue) }.enable :import_issues rule { can?(:developer_access) }.policy do + enable :create_package enable :admin_board enable :admin_merge_request enable :admin_milestone @@ -327,6 +341,7 @@ class ProjectPolicy < BasePolicy enable :update_alert_management_alert enable :create_design enable :destroy_design + enable :read_terraform_state end rule { can?(:developer_access) & user_confirmed? }.policy do @@ -336,6 +351,7 @@ class ProjectPolicy < BasePolicy end rule { can?(:maintainer_access) }.policy do + enable :destroy_package enable :admin_board enable :push_to_delete_protected_branch enable :update_snippet @@ -470,6 +486,7 @@ class ProjectPolicy < BasePolicy end rule { can?(:public_access) }.policy do + enable :read_package enable :read_project enable :read_board enable :read_list @@ -545,11 +562,13 @@ class ProjectPolicy < BasePolicy rule { can?(:read_issue) }.policy do enable :read_design + enable :read_design_activity end # Design abilities could also be prevented in the issue policy. rule { design_management_disabled }.policy do prevent :read_design + prevent :read_design_activity prevent :create_design prevent :destroy_design end @@ -576,6 +595,12 @@ class ProjectPolicy < BasePolicy enable :read_build_report_results end + rule { support_bot }.enable :guest_access + rule { support_bot & ~service_desk_enabled }.policy do + prevent :create_note + prevent :read_project + end + private def team_member? @@ -624,6 +649,7 @@ class ProjectPolicy < BasePolicy def lookup_access_level! return ::Gitlab::Access::REPORTER if alert_bot? + return ::Gitlab::Access::REPORTER if support_bot? && service_desk_enabled? # NOTE: max_member_access has its own cache project.team.max_member_access(@user.id) @@ -636,7 +662,7 @@ class ProjectPolicy < BasePolicy when ProjectFeature::DISABLED false when ProjectFeature::PRIVATE - admin? || team_access_level >= ProjectFeature.required_minimum_access_level(feature) + can?(:read_all_resources) || team_access_level >= ProjectFeature.required_minimum_access_level(feature) else true end diff --git a/app/policies/releases/source_policy.rb b/app/policies/releases/source_policy.rb index 8b86b925589..3b11c661237 100644 --- a/app/policies/releases/source_policy.rb +++ b/app/policies/releases/source_policy.rb @@ -3,11 +3,5 @@ module Releases class SourcePolicy < BasePolicy delegate { @subject.project } - - rule { can?(:public_access) | can?(:reporter_access) }.policy do - enable :read_release_sources - end - - rule { ~can?(:read_release) }.prevent :read_release_sources end end |