diff options
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/base_policy.rb | 4 | ||||
-rw-r--r-- | app/policies/ci/build_policy.rb | 15 | ||||
-rw-r--r-- | app/policies/concerns/policy_actor.rb | 4 | ||||
-rw-r--r-- | app/policies/global_policy.rb | 3 | ||||
-rw-r--r-- | app/policies/group_policy.rb | 5 | ||||
-rw-r--r-- | app/policies/issuable_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/namespace_policy.rb | 1 | ||||
-rw-r--r-- | app/policies/project_ci_cd_setting_policy.rb | 5 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 27 | ||||
-rw-r--r-- | app/policies/timebox_policy.rb | 10 | ||||
-rw-r--r-- | app/policies/user_policy.rb | 5 |
11 files changed, 78 insertions, 3 deletions
diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb index 580a348b408..51694ec7c50 100644 --- a/app/policies/base_policy.rb +++ b/app/policies/base_policy.rb @@ -25,6 +25,10 @@ class BasePolicy < DeclarativePolicy::Base with_options scope: :user, score: 0 condition(:support_bot) { @user&.support_bot? } + desc "User is security bot" + with_options scope: :user, score: 0 + condition(:security_bot) { @user&.security_bot? } + desc "User email is unconfirmed or user account is locked" with_options scope: :user, score: 0 condition(:inactive) { @user&.confirmation_required_on_sign_in? || @user&.access_locked? } diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index 3efc07421e4..7e69e1fdd88 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -45,6 +45,21 @@ module Ci @subject.pipeline.webide? end + condition(:debug_mode, scope: :subject, score: 32) do + @subject.debug_mode? + end + + condition(:project_read_build, scope: :subject) do + can?(:read_build, @subject.project) + end + + condition(:project_update_build, scope: :subject) do + can?(:update_build, @subject.project) + end + + rule { project_read_build }.enable :read_build_trace + rule { debug_mode & ~project_update_build }.prevent :read_build_trace + rule { ~protected_environment_access & (protected_ref | archived) }.policy do prevent :update_build prevent :update_commit_status diff --git a/app/policies/concerns/policy_actor.rb b/app/policies/concerns/policy_actor.rb index 7eca6f4c6c8..75849fb10c8 100644 --- a/app/policies/concerns/policy_actor.rb +++ b/app/policies/concerns/policy_actor.rb @@ -49,6 +49,10 @@ module PolicyActor false end + def security_bot? + false + end + def deactivated? false end diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index c1ea4dddb51..b5c1ec0181e 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -48,7 +48,7 @@ class GlobalPolicy < BasePolicy prevent :use_slash_commands end - rule { blocked | (internal & ~migration_bot) }.policy do + rule { blocked | (internal & ~migration_bot & ~security_bot) }.policy do prevent :access_git end @@ -99,6 +99,7 @@ class GlobalPolicy < BasePolicy enable :read_custom_attribute enable :update_custom_attribute enable :approve_user + enable :reject_user end # We can't use `read_statistics` because the user may have different permissions for different projects diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 231843c5f23..7d0db222eaf 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -185,7 +185,10 @@ class GroupPolicy < BasePolicy rule { developer & developer_maintainer_access }.enable :create_projects rule { create_projects_disabled }.prevent :create_projects - rule { owner | admin }.enable :read_statistics + rule { owner | admin }.policy do + enable :owner_access + enable :read_statistics + end rule { maintainer & can?(:create_projects) }.enable :transfer_projects diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb index 5cfbcfec5c0..f49a6ee8498 100644 --- a/app/policies/issuable_policy.rb +++ b/app/policies/issuable_policy.rb @@ -27,3 +27,5 @@ class IssuablePolicy < BasePolicy prevent :award_emoji end end + +IssuablePolicy.prepend_if_ee('EE::IssuablePolicy') diff --git a/app/policies/namespace_policy.rb b/app/policies/namespace_policy.rb index aa87442cadd..b1d680b4264 100644 --- a/app/policies/namespace_policy.rb +++ b/app/policies/namespace_policy.rb @@ -8,6 +8,7 @@ class NamespacePolicy < BasePolicy condition(:owner) { @subject.owner == @user } rule { owner | admin }.policy do + enable :owner_access enable :create_projects enable :admin_namespace enable :read_namespace diff --git a/app/policies/project_ci_cd_setting_policy.rb b/app/policies/project_ci_cd_setting_policy.rb new file mode 100644 index 00000000000..a22b790415b --- /dev/null +++ b/app/policies/project_ci_cd_setting_policy.rb @@ -0,0 +1,5 @@ +# frozen_string_literal: true + +class ProjectCiCdSettingPolicy < BasePolicy + delegate { @subject.project } +end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 13073ed68a1..403fb34803e 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -135,6 +135,10 @@ class ProjectPolicy < BasePolicy ::Feature.enabled?(:build_service_proxy, @subject) end + condition(:project_bot_is_member) do + user.project_bot? & team_member? + end + with_scope :subject condition(:packages_disabled) { !@subject.packages_enabled } @@ -147,6 +151,8 @@ class ProjectPolicy < BasePolicy builds pages metrics_dashboard + analytics + operations ] features.each do |f| @@ -211,6 +217,7 @@ class ProjectPolicy < BasePolicy enable :award_emoji enable :read_pages_content enable :read_release + enable :read_analytics end # These abilities are not allowed to admins that are not members of the project, @@ -272,6 +279,19 @@ class ProjectPolicy < BasePolicy prevent(:metrics_dashboard) end + rule { operations_disabled }.policy do + prevent(*create_read_update_admin_destroy(:feature_flag)) + prevent(*create_read_update_admin_destroy(:environment)) + prevent(*create_read_update_admin_destroy(:sentry_issue)) + prevent(*create_read_update_admin_destroy(:alert_management_alert)) + prevent(*create_read_update_admin_destroy(:cluster)) + prevent(*create_read_update_admin_destroy(:terraform_state)) + prevent(*create_read_update_admin_destroy(:deployment)) + prevent(:metrics_dashboard) + prevent(:read_pod_logs) + prevent(:read_prometheus) + end + rule { can?(:metrics_dashboard) }.policy do enable :read_prometheus enable :read_deployment @@ -424,6 +444,10 @@ class ProjectPolicy < BasePolicy prevent(*create_read_update_admin_destroy(:snippet)) end + rule { analytics_disabled }.policy do + prevent(:read_analytics) + end + rule { wiki_disabled }.policy do prevent(*create_read_update_admin_destroy(:wiki)) prevent(:download_wiki_code) @@ -494,6 +518,7 @@ class ProjectPolicy < BasePolicy enable :download_wiki_code enable :read_cycle_analytics enable :read_pages_content + enable :read_analytics # NOTE: may be overridden by IssuePolicy enable :read_issue @@ -594,6 +619,8 @@ class ProjectPolicy < BasePolicy enable :admin_resource_access_tokens end + rule { project_bot_is_member & ~blocked }.enable :bot_log_in + private def user_is_user? diff --git a/app/policies/timebox_policy.rb b/app/policies/timebox_policy.rb new file mode 100644 index 00000000000..03a1acb9358 --- /dev/null +++ b/app/policies/timebox_policy.rb @@ -0,0 +1,10 @@ +# frozen_string_literal: true + +class TimeboxPolicy < BasePolicy + # stub permissions policy on None, Any, Upcoming, Started and Current timeboxes + + rule { default }.policy do + enable :read_iteration + enable :read_milestone + end +end diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index 70e8fb32064..48c2bd3f0bd 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -13,6 +13,9 @@ class UserPolicy < BasePolicy desc "The user is blocked" condition(:blocked_user, scope: :subject, score: 0) { @subject.blocked? } + desc "The user is unconfirmed" + condition(:unconfirmed_user, scope: :subject, score: 0) { !@subject.confirmed? } + rule { ~restricted_public_level }.enable :read_user rule { ~anonymous }.enable :read_user @@ -25,7 +28,7 @@ class UserPolicy < BasePolicy end rule { default }.enable :read_user_profile - rule { (private_profile | blocked_user) & ~(user_is_self | admin) }.prevent :read_user_profile + rule { (private_profile | blocked_user | unconfirmed_user) & ~(user_is_self | admin) }.prevent :read_user_profile rule { user_is_self | admin }.enable :disable_two_factor rule { (user_is_self | admin) & ~blocked }.enable :create_user_personal_access_token end |