diff options
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/abuse_report_policy.rb | 1 | ||||
-rw-r--r-- | app/policies/analytics/cycle_analytics/value_stream_policy.rb | 9 | ||||
-rw-r--r-- | app/policies/base_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/ci/build_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/ci/deployable_policy.rb | 5 | ||||
-rw-r--r-- | app/policies/ci/pipeline_policy.rb | 6 | ||||
-rw-r--r-- | app/policies/concerns/policy_actor.rb | 4 | ||||
-rw-r--r-- | app/policies/container_registry/protection/rule_policy.rb | 9 | ||||
-rw-r--r-- | app/policies/global_policy.rb | 4 | ||||
-rw-r--r-- | app/policies/group_group_link_policy.rb | 8 | ||||
-rw-r--r-- | app/policies/group_policy.rb | 1 | ||||
-rw-r--r-- | app/policies/issue_policy.rb | 5 | ||||
-rw-r--r-- | app/policies/namespaces/group_project_namespace_shared_policy.rb | 1 | ||||
-rw-r--r-- | app/policies/project_group_link_policy.rb | 4 | ||||
-rw-r--r-- | app/policies/project_import_state_policy.rb | 5 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 88 | ||||
-rw-r--r-- | app/policies/user_policy.rb | 1 |
17 files changed, 136 insertions, 19 deletions
diff --git a/app/policies/abuse_report_policy.rb b/app/policies/abuse_report_policy.rb index f1f994e6a42..043dbd0cb89 100644 --- a/app/policies/abuse_report_policy.rb +++ b/app/policies/abuse_report_policy.rb @@ -3,5 +3,6 @@ class AbuseReportPolicy < ::BasePolicy rule { admin }.policy do enable :read_abuse_report + enable :create_note end end diff --git a/app/policies/analytics/cycle_analytics/value_stream_policy.rb b/app/policies/analytics/cycle_analytics/value_stream_policy.rb new file mode 100644 index 00000000000..7e236f94e91 --- /dev/null +++ b/app/policies/analytics/cycle_analytics/value_stream_policy.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +module Analytics + module CycleAnalytics + class ValueStreamPolicy < ::BasePolicy + delegate { subject.namespace } + end + end +end diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb index 1ec2495a661..462afbaa475 100644 --- a/app/policies/base_policy.rb +++ b/app/policies/base_policy.rb @@ -37,7 +37,7 @@ class BasePolicy < DeclarativePolicy::Base desc "User is security policy bot" with_options scope: :user, score: 0 - condition(:security_policy_bot) { @user&.security_policy_bot? } + condition(:security_policy_bot) { false } desc "User is automation bot" with_options scope: :user, score: 0 diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index bce7ceafe17..71ea42e1f23 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -81,6 +81,7 @@ module Ci end rule { ~can?(:jailbreak) & (archived | protected_ref) }.policy do + prevent :cancel_build prevent :update_build prevent :erase_build end @@ -88,6 +89,7 @@ module Ci rule { can?(:admin_build) | (can?(:update_build) & owner_of_job & unprotected_ref) }.enable :erase_build rule { can?(:public_access) & branch_allows_collaboration }.policy do + enable :cancel_build enable :update_build enable :update_commit_status end diff --git a/app/policies/ci/deployable_policy.rb b/app/policies/ci/deployable_policy.rb index f0105b001f2..e83bdd5361a 100644 --- a/app/policies/ci/deployable_policy.rb +++ b/app/policies/ci/deployable_policy.rb @@ -11,7 +11,10 @@ module Ci @subject.outdated_deployment? end - rule { outdated_deployment }.prevent :update_build + rule { outdated_deployment }.policy do + prevent :cancel_build + prevent :update_build + end end end end diff --git a/app/policies/ci/pipeline_policy.rb b/app/policies/ci/pipeline_policy.rb index 1d60b1e79de..c01162a86df 100644 --- a/app/policies/ci/pipeline_policy.rb +++ b/app/policies/ci/pipeline_policy.rb @@ -27,10 +27,14 @@ module Ci prevent :read_pipeline end - rule { protected_ref }.prevent :update_pipeline + rule { protected_ref }.policy do + prevent :update_pipeline + prevent :cancel_pipeline + end rule { can?(:public_access) & branch_allows_collaboration }.policy do enable :update_pipeline + enable :cancel_pipeline end rule { can?(:owner_access) }.policy do diff --git a/app/policies/concerns/policy_actor.rb b/app/policies/concerns/policy_actor.rb index e000f1514e5..8fa09683b06 100644 --- a/app/policies/concerns/policy_actor.rb +++ b/app/policies/concerns/policy_actor.rb @@ -53,10 +53,6 @@ module PolicyActor false end - def security_policy_bot? - false - end - def automation_bot? false end diff --git a/app/policies/container_registry/protection/rule_policy.rb b/app/policies/container_registry/protection/rule_policy.rb new file mode 100644 index 00000000000..4dc8dba3276 --- /dev/null +++ b/app/policies/container_registry/protection/rule_policy.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +module ContainerRegistry + module Protection + class RulePolicy < BasePolicy + delegate { @subject.project } + end + end +end diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index 7594360a91c..175f86c9673 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -63,10 +63,6 @@ class GlobalPolicy < BasePolicy prevent :access_git end - rule { security_policy_bot }.policy do - enable :access_git - end - rule { project_bot | service_account }.policy do prevent :log_in prevent :receive_notifications diff --git a/app/policies/group_group_link_policy.rb b/app/policies/group_group_link_policy.rb new file mode 100644 index 00000000000..0108f0b7fca --- /dev/null +++ b/app/policies/group_group_link_policy.rb @@ -0,0 +1,8 @@ +# frozen_string_literal: true + +class GroupGroupLinkPolicy < ::BasePolicy # rubocop:disable Gitlab/NamespacedClass + condition(:can_read_shared_with_group) { can?(:read_group, @subject.shared_with_group) } + condition(:group_member) { @subject.shared_group.member?(@user) } + + rule { can_read_shared_with_group | group_member }.enable :read_shared_with_group +end diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 2ab59f5a34d..ca170133105 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -121,6 +121,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :upload_file enable :guest_access enable :read_release + enable :award_emoji end rule { admin }.policy do diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb index 6114785a851..683c53d8d78 100644 --- a/app/policies/issue_policy.rb +++ b/app/policies/issue_policy.rb @@ -57,7 +57,10 @@ class IssuePolicy < IssuablePolicy prevent :read_issue end - rule { ~can?(:read_issue) }.prevent :create_note + rule { ~can?(:read_issue) }.policy do + prevent :create_note + prevent :read_note + end rule { locked }.policy do prevent :reopen_issue diff --git a/app/policies/namespaces/group_project_namespace_shared_policy.rb b/app/policies/namespaces/group_project_namespace_shared_policy.rb index b24cb5be607..81bb5d6289e 100644 --- a/app/policies/namespaces/group_project_namespace_shared_policy.rb +++ b/app/policies/namespaces/group_project_namespace_shared_policy.rb @@ -22,6 +22,7 @@ module Namespaces enable :create_work_item enable :read_work_item enable :read_issue + enable :read_note enable :read_namespace enable :read_namespace_via_membership end diff --git a/app/policies/project_group_link_policy.rb b/app/policies/project_group_link_policy.rb index 00bb246d70b..7ad2985ecc5 100644 --- a/app/policies/project_group_link_policy.rb +++ b/app/policies/project_group_link_policy.rb @@ -2,9 +2,13 @@ class ProjectGroupLinkPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedClass condition(:group_owner_or_project_admin) { group_owner? || project_admin? } + condition(:can_read_group) { can?(:read_group, @subject.group) } + condition(:project_member) { @subject.project.member?(@user) } rule { group_owner_or_project_admin }.enable :admin_project_group_link + rule { can_read_group | project_member }.enable :read_shared_with_group + private def group_owner? diff --git a/app/policies/project_import_state_policy.rb b/app/policies/project_import_state_policy.rb new file mode 100644 index 00000000000..c2cd03337b7 --- /dev/null +++ b/app/policies/project_import_state_policy.rb @@ -0,0 +1,5 @@ +# frozen_string_literal: true + +class ProjectImportStatePolicy < ::BasePolicy # rubocop:disable Gitlab/NamespacedClass -- required by DeclarativePolicy lookup logic + delegate { @subject.project } +end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 20f88577d67..bbb0e3df500 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -38,9 +38,6 @@ class ProjectPolicy < BasePolicy desc "User is a project bot" condition(:project_bot) { user.project_bot? && team_member? } - desc "User is a security policy bot on the project" - condition(:security_policy_bot) { user&.security_policy_bot? && team_member? } - desc "Project is public" condition(:public_project, scope: :subject, score: 0) { project.public? } @@ -136,6 +133,29 @@ class ProjectPolicy < BasePolicy !@user&.from_ci_job_token? || @user.ci_job_token_scope.accessible?(project) end + desc "If the user is via CI job token and project container registry visibility allows access" + condition(:job_token_container_registry) { job_token_access_allowed_to?(:container_registry) } + + desc "If the user is via CI job token and project package registry visibility allows access" + condition(:job_token_package_registry) { job_token_access_allowed_to?(:package_registry) } + + desc "If the user is via CI job token and project ci/cd visibility allows access" + condition(:job_token_builds) { job_token_access_allowed_to?(:builds) } + + desc "If the user is via CI job token and project releases visibility allows access" + condition(:job_token_releases) { job_token_access_allowed_to?(:releases) } + + desc "If the user is via CI job token and project environment visibility allows access" + condition(:job_token_environments) { job_token_access_allowed_to?(:environments) } + + desc "If the project is either public or internal" + condition(:public_or_internal) do + project.public? || project.internal? + end + + with_scope :subject + condition(:restrict_job_token_enabled) { Feature.enabled?(:restrict_ci_job_token_for_public_and_internal_projects, @subject) } + with_scope :subject condition(:forking_allowed) do @subject.feature_available?(:forking, @user) @@ -303,6 +323,8 @@ class ProjectPolicy < BasePolicy enable :set_show_diff_preview_in_email enable :set_warn_about_potentially_unwanted_characters enable :manage_owners + + enable :add_catalog_resource end rule { can?(:guest_access) }.policy do @@ -469,6 +491,7 @@ class ProjectPolicy < BasePolicy enable :update_commit_status enable :create_build enable :update_build + enable :cancel_build enable :read_resource_group enable :update_resource_group enable :create_merge_request_from @@ -512,6 +535,7 @@ class ProjectPolicy < BasePolicy rule { can?(:developer_access) & user_confirmed? }.policy do enable :create_pipeline enable :update_pipeline + enable :cancel_pipeline enable :create_pipeline_schedule end @@ -640,6 +664,7 @@ class ProjectPolicy < BasePolicy rule { builds_disabled | repository_disabled }.policy do prevent(*create_read_update_admin_destroy(:build)) + prevent :cancel_build prevent(*create_read_update_admin_destroy(:pipeline_schedule)) prevent(*create_read_update_admin_destroy(:environment)) prevent(*create_read_update_admin_destroy(:deployment)) @@ -652,6 +677,7 @@ class ProjectPolicy < BasePolicy # - We prevent the user from accessing Pipelines rule { (builds_disabled & ~internal_builds_disabled) | repository_disabled }.policy do prevent(*create_read_update_admin_destroy(:pipeline)) + prevent :cancel_pipeline prevent(*create_read_update_admin_destroy(:commit_status)) end @@ -679,8 +705,42 @@ class ProjectPolicy < BasePolicy enable :read_project_for_iids end + # If the project is private rule { ~public_project & ~internal_access & ~project_allowed_for_job_token }.prevent_all + # If this project is public or internal we want to prevent all aside from a few public policies + rule { public_or_internal & ~project_allowed_for_job_token & restrict_job_token_enabled }.policy do + prevent :guest_access + prevent :public_access + prevent :public_user_access + prevent :reporter_access + prevent :developer_access + prevent :maintainer_access + prevent :owner_access + end + + rule { public_or_internal & job_token_container_registry & restrict_job_token_enabled }.policy do + enable :build_read_container_image + enable :read_container_image + end + + rule { public_or_internal & job_token_package_registry & restrict_job_token_enabled }.policy do + enable :read_package + enable :read_project + end + + rule { public_or_internal & job_token_builds & restrict_job_token_enabled }.policy do + enable :read_commit_status # this is additionally needed to download artifacts + end + + rule { public_or_internal & job_token_releases & restrict_job_token_enabled }.policy do + enable :read_release + end + + rule { public_or_internal & job_token_environments & restrict_job_token_enabled }.policy do + enable :read_environment + end + rule { can?(:public_access) }.policy do enable :read_package enable :read_project @@ -908,14 +968,14 @@ class ProjectPolicy < BasePolicy enable :read_namespace_catalog end - rule { can?(:owner_access) & namespace_catalog_available }.policy do - enable :add_catalog_resource - end - rule { model_registry_enabled }.policy do enable :read_model_registry end + rule { can?(:reporter_access) & model_registry_enabled }.policy do + enable :write_model_registry + end + rule { model_experiments_enabled }.policy do enable :read_model_experiments end @@ -1007,6 +1067,20 @@ class ProjectPolicy < BasePolicy end end + def job_token_access_allowed_to?(feature) + return false unless @user&.from_ci_job_token? + return false unless project.project_feature + + case project.project_feature.access_level(feature) + when ProjectFeature::DISABLED + false + when ProjectFeature::PRIVATE + @user.ci_job_token_scope.accessible?(project) + else + true + end + end + def resource_access_token_feature_available? true end diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index 2fd198b8cf4..04fbc8467c9 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -29,6 +29,7 @@ class UserPolicy < BasePolicy enable :read_user_personal_access_tokens enable :read_group_count enable :read_user_groups + enable :read_user_organizations enable :read_saved_replies enable :read_user_email_address enable :admin_user_email_address |