17 files changed, 136 insertions, 19 deletions

diff --git a/app/policies/abuse_report_policy.rb b/app/policies/abuse_report_policy.rb
index f1f994e6a42..043dbd0cb89 100644
--- a/app/policies/abuse_report_policy.rb
+++ b/app/policies/abuse_report_policy.rb
@@ -3,5 +3,6 @@
 class AbuseReportPolicy < ::BasePolicy
   rule { admin }.policy do
     enable :read_abuse_report
+    enable :create_note
   end
 end
diff --git a/app/policies/analytics/cycle_analytics/value_stream_policy.rb b/app/policies/analytics/cycle_analytics/value_stream_policy.rb
new file mode 100644
index 00000000000..7e236f94e91
--- /dev/null
+++ b/app/policies/analytics/cycle_analytics/value_stream_policy.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Analytics
+  module CycleAnalytics
+    class ValueStreamPolicy < ::BasePolicy
+      delegate { subject.namespace }
+    end
+  end
+end
diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb
index 1ec2495a661..462afbaa475 100644
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -37,7 +37,7 @@ class BasePolicy < DeclarativePolicy::Base
 
   desc "User is security policy bot"
   with_options scope: :user, score: 0
-  condition(:security_policy_bot) { @user&.security_policy_bot? }
+  condition(:security_policy_bot) { false }
 
   desc "User is automation bot"
   with_options scope: :user, score: 0
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index bce7ceafe17..71ea42e1f23 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -81,6 +81,7 @@ module Ci
     end
 
     rule { ~can?(:jailbreak) & (archived | protected_ref) }.policy do
+      prevent :cancel_build
       prevent :update_build
       prevent :erase_build
     end
@@ -88,6 +89,7 @@ module Ci
     rule { can?(:admin_build) | (can?(:update_build) & owner_of_job & unprotected_ref) }.enable :erase_build
 
     rule { can?(:public_access) & branch_allows_collaboration }.policy do
+      enable :cancel_build
       enable :update_build
       enable :update_commit_status
     end
diff --git a/app/policies/ci/deployable_policy.rb b/app/policies/ci/deployable_policy.rb
index f0105b001f2..e83bdd5361a 100644
--- a/app/policies/ci/deployable_policy.rb
+++ b/app/policies/ci/deployable_policy.rb
@@ -11,7 +11,10 @@ module Ci
         @subject.outdated_deployment?
       end
 
-      rule { outdated_deployment }.prevent :update_build
+      rule { outdated_deployment }.policy do
+        prevent :cancel_build
+        prevent :update_build
+      end
     end
   end
 end
diff --git a/app/policies/ci/pipeline_policy.rb b/app/policies/ci/pipeline_policy.rb
index 1d60b1e79de..c01162a86df 100644
--- a/app/policies/ci/pipeline_policy.rb
+++ b/app/policies/ci/pipeline_policy.rb
@@ -27,10 +27,14 @@ module Ci
       prevent :read_pipeline
     end
 
-    rule { protected_ref }.prevent :update_pipeline
+    rule { protected_ref }.policy do
+      prevent :update_pipeline
+      prevent :cancel_pipeline
+    end
 
     rule { can?(:public_access) & branch_allows_collaboration }.policy do
       enable :update_pipeline
+      enable :cancel_pipeline
     end
 
     rule { can?(:owner_access) }.policy do
diff --git a/app/policies/concerns/policy_actor.rb b/app/policies/concerns/policy_actor.rb
index e000f1514e5..8fa09683b06 100644
--- a/app/policies/concerns/policy_actor.rb
+++ b/app/policies/concerns/policy_actor.rb
@@ -53,10 +53,6 @@ module PolicyActor
     false
   end
 
-  def security_policy_bot?
-    false
-  end
-
   def automation_bot?
     false
   end
diff --git a/app/policies/container_registry/protection/rule_policy.rb b/app/policies/container_registry/protection/rule_policy.rb
new file mode 100644
index 00000000000..4dc8dba3276
--- /dev/null
+++ b/app/policies/container_registry/protection/rule_policy.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module ContainerRegistry
+  module Protection
+    class RulePolicy < BasePolicy
+      delegate { @subject.project }
+    end
+  end
+end
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index 7594360a91c..175f86c9673 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -63,10 +63,6 @@ class GlobalPolicy < BasePolicy
     prevent :access_git
   end
 
-  rule { security_policy_bot }.policy do
-    enable :access_git
-  end
-
   rule { project_bot | service_account }.policy do
     prevent :log_in
     prevent :receive_notifications
diff --git a/app/policies/group_group_link_policy.rb b/app/policies/group_group_link_policy.rb
new file mode 100644
index 00000000000..0108f0b7fca
--- /dev/null
+++ b/app/policies/group_group_link_policy.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+class GroupGroupLinkPolicy < ::BasePolicy # rubocop:disable Gitlab/NamespacedClass
+  condition(:can_read_shared_with_group) { can?(:read_group, @subject.shared_with_group) }
+  condition(:group_member) { @subject.shared_group.member?(@user) }
+
+  rule { can_read_shared_with_group | group_member }.enable :read_shared_with_group
+end
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 2ab59f5a34d..ca170133105 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -121,6 +121,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     enable :upload_file
     enable :guest_access
     enable :read_release
+    enable :award_emoji
   end
 
   rule { admin }.policy do
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index 6114785a851..683c53d8d78 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -57,7 +57,10 @@ class IssuePolicy < IssuablePolicy
     prevent :read_issue
   end
 
-  rule { ~can?(:read_issue) }.prevent :create_note
+  rule { ~can?(:read_issue) }.policy do
+    prevent :create_note
+    prevent :read_note
+  end
 
   rule { locked }.policy do
     prevent :reopen_issue
diff --git a/app/policies/namespaces/group_project_namespace_shared_policy.rb b/app/policies/namespaces/group_project_namespace_shared_policy.rb
index b24cb5be607..81bb5d6289e 100644
--- a/app/policies/namespaces/group_project_namespace_shared_policy.rb
+++ b/app/policies/namespaces/group_project_namespace_shared_policy.rb
@@ -22,6 +22,7 @@ module Namespaces
       enable :create_work_item
       enable :read_work_item
       enable :read_issue
+      enable :read_note
       enable :read_namespace
       enable :read_namespace_via_membership
     end
diff --git a/app/policies/project_group_link_policy.rb b/app/policies/project_group_link_policy.rb
index 00bb246d70b..7ad2985ecc5 100644
--- a/app/policies/project_group_link_policy.rb
+++ b/app/policies/project_group_link_policy.rb
@@ -2,9 +2,13 @@
 
 class ProjectGroupLinkPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedClass
   condition(:group_owner_or_project_admin) { group_owner? || project_admin? }
+  condition(:can_read_group) { can?(:read_group, @subject.group) }
+  condition(:project_member) { @subject.project.member?(@user) }
 
   rule { group_owner_or_project_admin }.enable :admin_project_group_link
 
+  rule { can_read_group | project_member }.enable :read_shared_with_group
+
   private
 
   def group_owner?
diff --git a/app/policies/project_import_state_policy.rb b/app/policies/project_import_state_policy.rb
new file mode 100644
index 00000000000..c2cd03337b7
--- /dev/null
+++ b/app/policies/project_import_state_policy.rb
@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+class ProjectImportStatePolicy < ::BasePolicy # rubocop:disable Gitlab/NamespacedClass -- required by DeclarativePolicy lookup logic
+  delegate { @subject.project }
+end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 20f88577d67..bbb0e3df500 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -38,9 +38,6 @@ class ProjectPolicy < BasePolicy
   desc "User is a project bot"
   condition(:project_bot) { user.project_bot? && team_member? }
 
-  desc "User is a security policy bot on the project"
-  condition(:security_policy_bot) { user&.security_policy_bot? && team_member? }
-
   desc "Project is public"
   condition(:public_project, scope: :subject, score: 0) { project.public? }
 
@@ -136,6 +133,29 @@ class ProjectPolicy < BasePolicy
     !@user&.from_ci_job_token? || @user.ci_job_token_scope.accessible?(project)
   end
 
+  desc "If the user is via CI job token and project container registry visibility allows access"
+  condition(:job_token_container_registry) { job_token_access_allowed_to?(:container_registry) }
+
+  desc "If the user is via CI job token and project package registry visibility allows access"
+  condition(:job_token_package_registry) { job_token_access_allowed_to?(:package_registry) }
+
+  desc "If the user is via CI job token and project ci/cd visibility allows access"
+  condition(:job_token_builds) { job_token_access_allowed_to?(:builds) }
+
+  desc "If the user is via CI job token and project releases visibility allows access"
+  condition(:job_token_releases) { job_token_access_allowed_to?(:releases) }
+
+  desc "If the user is via CI job token and project environment visibility allows access"
+  condition(:job_token_environments) { job_token_access_allowed_to?(:environments) }
+
+  desc "If the project is either public or internal"
+  condition(:public_or_internal) do
+    project.public? || project.internal?
+  end
+
+  with_scope :subject
+  condition(:restrict_job_token_enabled) { Feature.enabled?(:restrict_ci_job_token_for_public_and_internal_projects, @subject) }
+
   with_scope :subject
   condition(:forking_allowed) do
     @subject.feature_available?(:forking, @user)
@@ -303,6 +323,8 @@ class ProjectPolicy < BasePolicy
     enable :set_show_diff_preview_in_email
     enable :set_warn_about_potentially_unwanted_characters
     enable :manage_owners
+
+    enable :add_catalog_resource
   end
 
   rule { can?(:guest_access) }.policy do
@@ -469,6 +491,7 @@ class ProjectPolicy < BasePolicy
     enable :update_commit_status
     enable :create_build
     enable :update_build
+    enable :cancel_build
     enable :read_resource_group
     enable :update_resource_group
     enable :create_merge_request_from
@@ -512,6 +535,7 @@ class ProjectPolicy < BasePolicy
   rule { can?(:developer_access) & user_confirmed? }.policy do
     enable :create_pipeline
     enable :update_pipeline
+    enable :cancel_pipeline
     enable :create_pipeline_schedule
   end
 
@@ -640,6 +664,7 @@ class ProjectPolicy < BasePolicy
 
   rule { builds_disabled | repository_disabled }.policy do
     prevent(*create_read_update_admin_destroy(:build))
+    prevent :cancel_build
     prevent(*create_read_update_admin_destroy(:pipeline_schedule))
     prevent(*create_read_update_admin_destroy(:environment))
     prevent(*create_read_update_admin_destroy(:deployment))
@@ -652,6 +677,7 @@ class ProjectPolicy < BasePolicy
   #   - We prevent the user from accessing Pipelines
   rule { (builds_disabled & ~internal_builds_disabled) | repository_disabled }.policy do
     prevent(*create_read_update_admin_destroy(:pipeline))
+    prevent :cancel_pipeline
     prevent(*create_read_update_admin_destroy(:commit_status))
   end
 
@@ -679,8 +705,42 @@ class ProjectPolicy < BasePolicy
     enable :read_project_for_iids
   end
 
+  # If the project is private
   rule { ~public_project & ~internal_access & ~project_allowed_for_job_token }.prevent_all
 
+  # If this project is public or internal we want to prevent all aside from a few public policies
+  rule { public_or_internal & ~project_allowed_for_job_token & restrict_job_token_enabled }.policy do
+    prevent :guest_access
+    prevent :public_access
+    prevent :public_user_access
+    prevent :reporter_access
+    prevent :developer_access
+    prevent :maintainer_access
+    prevent :owner_access
+  end
+
+  rule { public_or_internal & job_token_container_registry & restrict_job_token_enabled }.policy do
+    enable :build_read_container_image
+    enable :read_container_image
+  end
+
+  rule { public_or_internal & job_token_package_registry & restrict_job_token_enabled }.policy do
+    enable :read_package
+    enable :read_project
+  end
+
+  rule { public_or_internal & job_token_builds & restrict_job_token_enabled }.policy do
+    enable :read_commit_status # this is additionally needed to download artifacts
+  end
+
+  rule { public_or_internal & job_token_releases & restrict_job_token_enabled }.policy do
+    enable :read_release
+  end
+
+  rule { public_or_internal & job_token_environments & restrict_job_token_enabled }.policy do
+    enable :read_environment
+  end
+
   rule { can?(:public_access) }.policy do
     enable :read_package
     enable :read_project
@@ -908,14 +968,14 @@ class ProjectPolicy < BasePolicy
     enable :read_namespace_catalog
   end
 
-  rule { can?(:owner_access) & namespace_catalog_available }.policy do
-    enable :add_catalog_resource
-  end
-
   rule { model_registry_enabled }.policy do
     enable :read_model_registry
   end
 
+  rule { can?(:reporter_access) & model_registry_enabled }.policy do
+    enable :write_model_registry
+  end
+
   rule { model_experiments_enabled }.policy do
     enable :read_model_experiments
   end
@@ -1007,6 +1067,20 @@ class ProjectPolicy < BasePolicy
     end
   end
 
+  def job_token_access_allowed_to?(feature)
+    return false unless @user&.from_ci_job_token?
+    return false unless project.project_feature
+
+    case project.project_feature.access_level(feature)
+    when ProjectFeature::DISABLED
+      false
+    when ProjectFeature::PRIVATE
+      @user.ci_job_token_scope.accessible?(project)
+    else
+      true
+    end
+  end
+
   def resource_access_token_feature_available?
     true
   end
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
index 2fd198b8cf4..04fbc8467c9 100644
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -29,6 +29,7 @@ class UserPolicy < BasePolicy
     enable :read_user_personal_access_tokens
     enable :read_group_count
     enable :read_user_groups
+    enable :read_user_organizations
     enable :read_saved_replies
     enable :read_user_email_address
     enable :admin_user_email_address