diff options
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/alert_management/http_integration_policy.rb | 7 | ||||
-rw-r--r-- | app/policies/base_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/concerns/policy_actor.rb | 4 | ||||
-rw-r--r-- | app/policies/container_registry/tag_policy.rb | 6 | ||||
-rw-r--r-- | app/policies/custom_emoji_policy.rb | 5 | ||||
-rw-r--r-- | app/policies/group_member_policy.rb | 5 | ||||
-rw-r--r-- | app/policies/group_policy.rb | 20 | ||||
-rw-r--r-- | app/policies/instance_metadata_policy.rb | 5 | ||||
-rw-r--r-- | app/policies/issue_policy.rb | 4 | ||||
-rw-r--r-- | app/policies/merge_request_policy.rb | 4 | ||||
-rw-r--r-- | app/policies/note_policy.rb | 11 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 3 | ||||
-rw-r--r-- | app/policies/service_policy.rb | 5 | ||||
-rw-r--r-- | app/policies/terraform/state_version_policy.rb | 9 | ||||
-rw-r--r-- | app/policies/user_policy.rb | 2 |
15 files changed, 88 insertions, 4 deletions
diff --git a/app/policies/alert_management/http_integration_policy.rb b/app/policies/alert_management/http_integration_policy.rb new file mode 100644 index 00000000000..77c936b9e0b --- /dev/null +++ b/app/policies/alert_management/http_integration_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +module AlertManagement + class HttpIntegrationPolicy < ::BasePolicy + delegate { @subject.project } + end +end diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb index 1c93073025d..580a348b408 100644 --- a/app/policies/base_policy.rb +++ b/app/policies/base_policy.rb @@ -57,6 +57,8 @@ class BasePolicy < DeclarativePolicy::Base rule { default }.enable :read_cross_project condition(:is_gitlab_com) { ::Gitlab.dev_env_or_com? } + + rule { admin }.enable :change_repository_storage end BasePolicy.prepend_if_ee('EE::BasePolicy') diff --git a/app/policies/concerns/policy_actor.rb b/app/policies/concerns/policy_actor.rb index 3073a2e5d10..7eca6f4c6c8 100644 --- a/app/policies/concerns/policy_actor.rb +++ b/app/policies/concerns/policy_actor.rb @@ -72,6 +72,10 @@ module PolicyActor def try_obtain_ldap_lease nil end + + def can_read_all_resources? + false + end end PolicyActor.prepend_if_ee('EE::PolicyActor') diff --git a/app/policies/container_registry/tag_policy.rb b/app/policies/container_registry/tag_policy.rb new file mode 100644 index 00000000000..8c75f2a6f20 --- /dev/null +++ b/app/policies/container_registry/tag_policy.rb @@ -0,0 +1,6 @@ +# frozen_string_literal: true +module ContainerRegistry + class TagPolicy < BasePolicy + delegate { @subject.repository } + end +end diff --git a/app/policies/custom_emoji_policy.rb b/app/policies/custom_emoji_policy.rb new file mode 100644 index 00000000000..ba73b9a3782 --- /dev/null +++ b/app/policies/custom_emoji_policy.rb @@ -0,0 +1,5 @@ +# frozen_string_literal: true + +class CustomEmojiPolicy < BasePolicy + delegate { @subject.group } +end diff --git a/app/policies/group_member_policy.rb b/app/policies/group_member_policy.rb index f6e52def270..78a2be7a9f8 100644 --- a/app/policies/group_member_policy.rb +++ b/app/policies/group_member_policy.rb @@ -11,7 +11,10 @@ class GroupMemberPolicy < BasePolicy condition(:is_target_user) { @user && @subject.user_id == @user.id } rule { anonymous }.prevent_all - rule { last_owner }.prevent_all + rule { last_owner }.policy do + prevent :update_group_member + prevent :destroy_group_member + end rule { can?(:admin_group_member) }.policy do enable :update_group_member diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index f9ec026a6d2..231843c5f23 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -46,6 +46,10 @@ class GroupPolicy < BasePolicy group_projects_for(user: @user, group: @subject, only_owned: false).any? { |p| p.design_management_enabled? } end + condition(:dependency_proxy_available) do + @subject.dependency_proxy_feature_available? + end + desc "Deploy token with read_package_registry scope" condition(:read_package_registry_deploy_token) do @user.is_a?(DeployToken) && @user.groups.include?(@subject) && @user.read_package_registry @@ -59,6 +63,9 @@ class GroupPolicy < BasePolicy with_scope :subject condition(:resource_access_token_available) { resource_access_token_available? } + with_scope :subject + condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? } + rule { design_management_enabled }.policy do enable :read_design_activity end @@ -94,6 +101,7 @@ class GroupPolicy < BasePolicy enable :read_label enable :read_board enable :read_group_member + enable :read_custom_emoji end rule { ~can?(:read_group) }.policy do @@ -107,6 +115,7 @@ class GroupPolicy < BasePolicy enable :create_metrics_dashboard_annotation enable :delete_metrics_dashboard_annotation enable :update_metrics_dashboard_annotation + enable :create_custom_emoji end rule { reporter }.policy do @@ -187,13 +196,24 @@ class GroupPolicy < BasePolicy rule { write_package_registry_deploy_token }.policy do enable :create_package + enable :read_package enable :read_group end + rule { can?(:read_group) & dependency_proxy_available } + .enable :read_dependency_proxy + + rule { developer & dependency_proxy_available } + .enable :admin_dependency_proxy + rule { resource_access_token_available & can?(:admin_group) }.policy do enable :admin_resource_access_tokens end + rule { support_bot & has_project_with_service_desk_enabled }.policy do + enable :read_label + end + def access_level return GroupMember::NO_ACCESS if @user.nil? return GroupMember::NO_ACCESS unless user_is_user? diff --git a/app/policies/instance_metadata_policy.rb b/app/policies/instance_metadata_policy.rb new file mode 100644 index 00000000000..3386217044d --- /dev/null +++ b/app/policies/instance_metadata_policy.rb @@ -0,0 +1,5 @@ +# frozen_string_literal: true + +class InstanceMetadataPolicy < BasePolicy + delegate { :global } +end diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb index 44c448eb601..183f4d8f919 100644 --- a/app/policies/issue_policy.rb +++ b/app/policies/issue_policy.rb @@ -35,6 +35,10 @@ class IssuePolicy < IssuablePolicy rule { ~can?(:read_design) }.policy do prevent :move_design end + + rule { ~anonymous & can?(:read_issue) }.policy do + enable :create_todo + end end IssuePolicy.prepend_if_ee('EE::IssuePolicy') diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb index e5ac228b0ee..d5ba42d750c 100644 --- a/app/policies/merge_request_policy.rb +++ b/app/policies/merge_request_policy.rb @@ -14,6 +14,10 @@ class MergeRequestPolicy < IssuablePolicy rule { can?(:update_merge_request) }.policy do enable :approve_merge_request end + + rule { ~anonymous & can?(:read_merge_request) }.policy do + enable :create_todo + end end MergeRequestPolicy.prepend_if_ee('EE::MergeRequestPolicy') diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb index 2217aa1326c..2bf6b6c3161 100644 --- a/app/policies/note_policy.rb +++ b/app/policies/note_policy.rb @@ -7,13 +7,15 @@ class NotePolicy < BasePolicy delegate { @subject.noteable if DeclarativePolicy.has_policy?(@subject.noteable) } condition(:is_author) { @user && @subject.author == @user } - condition(:is_noteable_author) { @user && @subject.noteable.author_id == @user.id } + condition(:is_noteable_author) { @user && @subject.noteable.try(:author_id) == @user.id } condition(:editable, scope: :subject) { @subject.editable? } condition(:can_read_noteable) { can?(:"read_#{@subject.noteable_ability_name}") } condition(:commit_is_deleted) { @subject.for_commit? && @subject.noteable.blank? } + condition(:for_design) { @subject.for_design? } + condition(:is_visible) { @subject.system_note_with_references_visible_for?(@user) } condition(:confidential, scope: :subject) { @subject.confidential? } @@ -28,6 +30,7 @@ class NotePolicy < BasePolicy rule { ~can_read_noteable }.policy do prevent :admin_note prevent :resolve_note + prevent :reposition_note prevent :award_emoji end @@ -46,6 +49,7 @@ class NotePolicy < BasePolicy prevent :read_note prevent :admin_note prevent :resolve_note + prevent :reposition_note prevent :award_emoji end @@ -57,9 +61,14 @@ class NotePolicy < BasePolicy prevent :read_note prevent :admin_note prevent :resolve_note + prevent :reposition_note prevent :award_emoji end + rule { can?(:admin_note) | (for_design & can?(:create_note)) }.policy do + enable :reposition_note + end + def parent_namespace strong_memoize(:parent_namespace) do next if @subject.is_a?(PersonalSnippet) diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 59e2d617bf7..13073ed68a1 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -546,8 +546,6 @@ class ProjectPolicy < BasePolicy prevent :create_pipeline end - rule { admin }.enable :change_repository_storage - rule { can?(:read_issue) }.policy do enable :read_design enable :read_design_activity @@ -570,6 +568,7 @@ class ProjectPolicy < BasePolicy rule { write_package_registry_deploy_token }.policy do enable :create_package + enable :read_package enable :read_project end diff --git a/app/policies/service_policy.rb b/app/policies/service_policy.rb new file mode 100644 index 00000000000..61aff444620 --- /dev/null +++ b/app/policies/service_policy.rb @@ -0,0 +1,5 @@ +# frozen_string_literal: true + +class ServicePolicy < BasePolicy + delegate(:project) +end diff --git a/app/policies/terraform/state_version_policy.rb b/app/policies/terraform/state_version_policy.rb new file mode 100644 index 00000000000..ad0b2f6d594 --- /dev/null +++ b/app/policies/terraform/state_version_policy.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +module Terraform + class StateVersionPolicy < BasePolicy + alias_method :terraform_state_version, :subject + + delegate { terraform_state_version.terraform_state } + end +end diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index c9dfa98b285..70e8fb32064 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -21,11 +21,13 @@ class UserPolicy < BasePolicy enable :update_user enable :update_user_status enable :read_user_personal_access_tokens + enable :read_group_count end rule { default }.enable :read_user_profile rule { (private_profile | blocked_user) & ~(user_is_self | admin) }.prevent :read_user_profile rule { user_is_self | admin }.enable :disable_two_factor + rule { (user_is_self | admin) & ~blocked }.enable :create_user_personal_access_token end UserPolicy.prepend_if_ee('EE::UserPolicy') |