diff options
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/global_policy.rb | 8 | ||||
-rw-r--r-- | app/policies/group_policy.rb | 8 | ||||
-rw-r--r-- | app/policies/merge_request_policy.rb | 8 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 20 |
4 files changed, 20 insertions, 24 deletions
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index b96ad9a73c8..bf7bfe36254 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -22,10 +22,6 @@ class GlobalPolicy < BasePolicy condition(:project_bot, scope: :user) { @user&.project_bot? } condition(:migration_bot, scope: :user) { @user&.migration_bot? } - condition(:create_runner_workflow_enabled, scope: :user) do - Feature.enabled?(:create_runner_workflow_for_admin, @user) - end - condition(:service_account, scope: :user) { @user&.service_account? } rule { anonymous }.policy do @@ -128,10 +124,6 @@ class GlobalPolicy < BasePolicy enable :create_instance_runner end - rule { ~create_runner_workflow_enabled }.policy do - prevent :create_instance_runner - end - # We can't use `read_statistics` because the user may have different permissions for different projects rule { admin }.enable :use_project_statistics_filters diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 94a67f5b5c8..29b966b43e2 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -97,10 +97,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy with_scope :subject condition(:crm_enabled, score: 0, scope: :subject) { @subject.crm_enabled? } - condition(:create_runner_workflow_enabled) do - Feature.enabled?(:create_runner_workflow_for_namespace, group) - end - condition(:achievements_enabled, scope: :subject) do Feature.enabled?(:achievements, @subject) end @@ -375,10 +371,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :admin_observability end - rule { ~create_runner_workflow_enabled }.policy do - prevent :create_runner - end - # Should be matched with ProjectPolicy#read_internal_note rule { admin | reporter }.enable :read_internal_note diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb index 49f9225a1d3..090be645b21 100644 --- a/app/policies/merge_request_policy.rb +++ b/app/policies/merge_request_policy.rb @@ -16,6 +16,10 @@ class MergeRequestPolicy < IssuablePolicy prevent :accept_merge_request end + rule { can?(:read_merge_request) }.policy do + enable :generate_diff_summary + end + rule { can_approve }.policy do enable :approve_merge_request end @@ -43,6 +47,10 @@ class MergeRequestPolicy < IssuablePolicy enable :set_merge_request_metadata end + rule { llm_bot }.policy do + enable :generate_diff_summary + end + private def can_approve? diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index c70dc288710..ad6155258ab 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -253,12 +253,12 @@ class ProjectPolicy < BasePolicy !Gitlab.config.terraform_state.enabled end - condition(:create_runner_workflow_enabled) do - Feature.enabled?(:create_runner_workflow_for_namespace, project.namespace) - end - condition(:namespace_catalog_available) { namespace_catalog_available? } + condition(:created_and_owned_by_banned_user, scope: :subject) do + Feature.enabled?(:hide_projects_of_banned_users) && @subject.created_and_owned_by_banned_user? + end + # `:read_project` may be prevented in EE, but `:read_project_for_iids` should # not. rule { guest | admin }.enable :read_project_for_iids @@ -886,10 +886,6 @@ class ProjectPolicy < BasePolicy enable :read_code end - rule { ~create_runner_workflow_enabled }.policy do - prevent :create_runner - end - # Should be matched with GroupPolicy#read_internal_note rule { admin | can?(:reporter_access) }.enable :read_internal_note @@ -909,6 +905,14 @@ class ProjectPolicy < BasePolicy enable :read_model_experiments end + rule { can?(:reporter_access) & model_experiments_enabled }.policy do + enable :write_model_experiments + end + + rule { ~admin & created_and_owned_by_banned_user }.policy do + prevent :read_project + end + private def user_is_user? |