diff options
Diffstat (limited to 'app/policies')
| -rw-r--r-- | app/policies/group_policy.rb | 17 | ||||
| -rw-r--r-- | app/policies/issue_policy.rb | 7 | ||||
| -rw-r--r-- | app/policies/packages/helm/file_metadatum_policy.rb | 8 | ||||
| -rw-r--r-- | app/policies/project_policy.rb | 15 |
4 files changed, 40 insertions, 7 deletions
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 64395f69c42..833d5b9bd34 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -75,6 +75,8 @@ class GroupPolicy < BasePolicy with_scope :subject condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? } + condition(:crm_enabled, score: 0, scope: :subject) { Feature.enabled?(:customer_relations, @subject) } + rule { can?(:read_group) & design_management_enabled }.policy do enable :read_design_activity end @@ -113,8 +115,8 @@ class GroupPolicy < BasePolicy enable :read_group_member enable :read_custom_emoji enable :read_counts - enable :read_organization - enable :read_contact + enable :read_crm_organization + enable :read_crm_contact end rule { ~public_group & ~has_access }.prevent :read_counts @@ -134,8 +136,8 @@ class GroupPolicy < BasePolicy enable :create_package enable :create_package_settings enable :developer_access - enable :admin_organization - enable :admin_contact + enable :admin_crm_organization + enable :admin_crm_contact end rule { reporter }.policy do @@ -252,6 +254,13 @@ class GroupPolicy < BasePolicy enable :read_label end + rule { ~crm_enabled }.policy do + prevent :read_crm_contact + prevent :read_crm_organization + prevent :admin_crm_contact + prevent :admin_crm_organization + end + def access_level(for_any_session: false) return GroupMember::NO_ACCESS if @user.nil? return GroupMember::NO_ACCESS unless user_is_user? diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb index 575e532c615..c9c13b29643 100644 --- a/app/policies/issue_policy.rb +++ b/app/policies/issue_policy.rb @@ -12,6 +12,9 @@ class IssuePolicy < IssuablePolicy @user && IssueCollection.new([@subject]).visible_to(@user).any? end + desc "User can read contacts belonging to the issue group" + condition(:can_read_crm_contacts, scope: :subject) { @user.can?(:read_crm_contact, @subject.project.group) } + desc "Issue is confidential" condition(:confidential, scope: :subject) { @subject.confidential? } @@ -77,6 +80,10 @@ class IssuePolicy < IssuablePolicy rule { ~persisted & can?(:create_issue) }.policy do enable :set_confidentiality end + + rule { can?(:set_issue_metadata) & can_read_crm_contacts }.policy do + enable :set_issue_crm_contacts + end end IssuePolicy.prepend_mod_with('IssuePolicy') diff --git a/app/policies/packages/helm/file_metadatum_policy.rb b/app/policies/packages/helm/file_metadatum_policy.rb new file mode 100644 index 00000000000..4e0cb9046bf --- /dev/null +++ b/app/policies/packages/helm/file_metadatum_policy.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true +module Packages + module Helm + class FileMetadatumPolicy < BasePolicy + delegate { @subject.package_file.package } + end + end +end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 87573c9ad13..d81db357162 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -47,6 +47,9 @@ class ProjectPolicy < BasePolicy desc "Project is archived" condition(:archived, scope: :subject, score: 0) { project.archived? } + desc "Project is in the process of being deleted" + condition(:pending_delete) { project.pending_delete? } + condition(:default_issues_tracker, scope: :subject) { project.default_issues_tracker? } desc "Container registry is disabled" @@ -248,7 +251,7 @@ class ProjectPolicy < BasePolicy enable :read_insights end - rule { can?(:guest_access) & can?(:create_issue) }.enable :create_incident + rule { can?(:reporter_access) & can?(:create_issue) }.enable :create_incident # These abilities are not allowed to admins that are not members of the project, # that's why they are defined separately. @@ -439,7 +442,7 @@ class ProjectPolicy < BasePolicy enable :destroy_freeze_period enable :admin_feature_flags_client enable :update_runners_registration_token - enable :manage_project_google_cloud + enable :admin_project_google_cloud end rule { public_project & metrics_dashboard_allowed }.policy do @@ -457,7 +460,13 @@ class ProjectPolicy < BasePolicy prevent(*readonly_abilities) readonly_features.each do |feature| - prevent(*create_update_admin_destroy(feature)) + prevent(*create_update_admin(feature)) + end + end + + rule { archived & ~pending_delete }.policy do + readonly_features.each do |feature| + prevent(:"destroy_#{feature}") end end |