diff options
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/ci/build_policy.rb | 7 | ||||
-rw-r--r-- | app/policies/global_policy.rb | 5 | ||||
-rw-r--r-- | app/policies/group_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/issuable_policy.rb | 1 | ||||
-rw-r--r-- | app/policies/namespace_policy.rb | 1 | ||||
-rw-r--r-- | app/policies/operations/feature_flag_policy.rb | 7 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 18 | ||||
-rw-r--r-- | app/policies/user_policy.rb | 1 |
8 files changed, 27 insertions, 15 deletions
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index cc66ad0577d..b3950c6a0e3 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -20,6 +20,11 @@ module Ci end end + # overridden in EE + condition(:protected_environment_access) do + false + end + condition(:owner_of_job) do @subject.triggered_by?(@user) end @@ -40,7 +45,7 @@ module Ci @subject.pipeline.webide? end - rule { protected_ref | archived }.policy do + rule { ~protected_environment_access & (protected_ref | archived) }.policy do prevent :update_build prevent :update_commit_status prevent :erase_build diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index c66f0d199b0..de69636b078 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -15,14 +15,9 @@ class GlobalPolicy < BasePolicy @user&.required_terms_not_accepted? end - condition(:private_instance_statistics, score: 0) { Gitlab::CurrentSettings.instance_statistics_visibility_private? } - condition(:project_bot, scope: :user) { @user&.project_bot? } condition(:migration_bot, scope: :user) { @user&.migration_bot? } - rule { admin | (~private_instance_statistics & ~anonymous) } - .enable :read_instance_statistics - rule { anonymous }.policy do prevent :log_in prevent :receive_notifications diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 3cc1be9dfb7..c98e82efef7 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -80,6 +80,7 @@ class GroupPolicy < BasePolicy enable :read_list enable :read_label enable :read_board + enable :read_group_member end rule { ~can?(:read_group) }.policy do @@ -116,6 +117,7 @@ class GroupPolicy < BasePolicy enable :update_cluster enable :admin_cluster enable :read_deploy_token + enable :create_jira_connect_subscription end rule { owner }.policy do diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb index 537319addc2..5cfbcfec5c0 100644 --- a/app/policies/issuable_policy.rb +++ b/app/policies/issuable_policy.rb @@ -24,5 +24,6 @@ class IssuablePolicy < BasePolicy prevent :create_note prevent :admin_note prevent :resolve_note + prevent :award_emoji end end diff --git a/app/policies/namespace_policy.rb b/app/policies/namespace_policy.rb index 350dd208499..aa87442cadd 100644 --- a/app/policies/namespace_policy.rb +++ b/app/policies/namespace_policy.rb @@ -12,6 +12,7 @@ class NamespacePolicy < BasePolicy enable :admin_namespace enable :read_namespace enable :read_statistics + enable :create_jira_connect_subscription end rule { personal_project & ~can_create_personal_project }.prevent :create_projects diff --git a/app/policies/operations/feature_flag_policy.rb b/app/policies/operations/feature_flag_policy.rb new file mode 100644 index 00000000000..e2f4781d07c --- /dev/null +++ b/app/policies/operations/feature_flag_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +module Operations + class FeatureFlagPolicy < BasePolicy + delegate { @subject.project } + end +end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index b2432bfa608..87ee7d201e4 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -102,11 +102,6 @@ class ProjectPolicy < BasePolicy end with_scope :subject - condition(:moving_designs_disabled) do - !::Feature.enabled?(:reorder_designs, @subject, default_enabled: true) - end - - with_scope :subject condition(:service_desk_enabled) { @subject.service_desk_enabled? } # We aren't checking `:read_issue` or `:read_merge_request` in this case @@ -330,6 +325,12 @@ class ProjectPolicy < BasePolicy enable :destroy_design enable :read_terraform_state enable :read_pod_logs + enable :read_feature_flag + enable :create_feature_flag + enable :update_feature_flag + enable :destroy_feature_flag + enable :admin_feature_flag + enable :admin_feature_flags_user_lists end rule { can?(:developer_access) & user_confirmed? }.policy do @@ -376,6 +377,7 @@ class ProjectPolicy < BasePolicy enable :read_freeze_period enable :update_freeze_period enable :destroy_freeze_period + enable :admin_feature_flags_client end rule { public_project & metrics_dashboard_allowed }.policy do @@ -452,6 +454,8 @@ class ProjectPolicy < BasePolicy prevent :read_pipeline prevent :read_pipeline_schedule prevent(*create_read_update_admin_destroy(:release)) + prevent(*create_read_update_admin_destroy(:feature_flag)) + prevent(:admin_feature_flags_user_lists) end rule { container_registry_disabled }.policy do @@ -557,10 +561,6 @@ class ProjectPolicy < BasePolicy prevent :move_design end - rule { moving_designs_disabled }.policy do - prevent :move_design - end - rule { read_package_registry_deploy_token }.policy do enable :read_package enable :read_project diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index 6ebafca9885..c9dfa98b285 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -25,6 +25,7 @@ class UserPolicy < BasePolicy rule { default }.enable :read_user_profile rule { (private_profile | blocked_user) & ~(user_is_self | admin) }.prevent :read_user_profile + rule { user_is_self | admin }.enable :disable_two_factor end UserPolicy.prepend_if_ee('EE::UserPolicy') |