From 0653e08efd039a5905f3fa4f6e9cef9f5d2f799c Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Mon, 20 Sep 2021 13:18:24 +0000 Subject: Add latest changes from gitlab-org/gitlab@14-3-stable-ee --- app/policies/ci/runner_policy.rb | 6 +++--- app/policies/custom_emoji_policy.rb | 10 ++++++++++ app/policies/customer_relations/contact_policy.rb | 6 ++++++ app/policies/customer_relations/organization_policy.rb | 6 ++++++ app/policies/dependency_proxy/blob_policy.rb | 6 ++++++ app/policies/dependency_proxy/group_setting_policy.rb | 6 ++++++ .../dependency_proxy/image_ttl_group_policy_policy.rb | 6 ++++++ app/policies/dependency_proxy/manifest_policy.rb | 6 ++++++ app/policies/group_policy.rb | 15 +++++++++++++-- app/policies/issue_policy.rb | 8 ++++++++ app/policies/user_policy.rb | 1 + 11 files changed, 71 insertions(+), 5 deletions(-) create mode 100644 app/policies/customer_relations/contact_policy.rb create mode 100644 app/policies/customer_relations/organization_policy.rb create mode 100644 app/policies/dependency_proxy/blob_policy.rb create mode 100644 app/policies/dependency_proxy/group_setting_policy.rb create mode 100644 app/policies/dependency_proxy/image_ttl_group_policy_policy.rb create mode 100644 app/policies/dependency_proxy/manifest_policy.rb (limited to 'app/policies') diff --git a/app/policies/ci/runner_policy.rb b/app/policies/ci/runner_policy.rb index de76b7b2b5b..43478cf36c2 100644 --- a/app/policies/ci/runner_policy.rb +++ b/app/policies/ci/runner_policy.rb @@ -5,9 +5,9 @@ module Ci with_options scope: :subject, score: 0 condition(:locked, scope: :subject) { @subject.locked? } - # rubocop: disable CodeReuse/ActiveRecord - condition(:owned_runner) { @user.ci_owned_runners.exists?(@subject.id) } - # rubocop: enable CodeReuse/ActiveRecord + condition(:owned_runner) do + @user.owns_runner?(@subject) + end rule { anonymous }.prevent_all diff --git a/app/policies/custom_emoji_policy.rb b/app/policies/custom_emoji_policy.rb index ba73b9a3782..98d1ab737ee 100644 --- a/app/policies/custom_emoji_policy.rb +++ b/app/policies/custom_emoji_policy.rb @@ -2,4 +2,14 @@ class CustomEmojiPolicy < BasePolicy delegate { @subject.group } + + condition(:author) { @subject.creator == @user } + + rule { can?(:maintainer_access) }.policy do + enable :delete_custom_emoji + end + + rule { author & can?(:create_custom_emoji) }.policy do + enable :delete_custom_emoji + end end diff --git a/app/policies/customer_relations/contact_policy.rb b/app/policies/customer_relations/contact_policy.rb new file mode 100644 index 00000000000..8367649b50c --- /dev/null +++ b/app/policies/customer_relations/contact_policy.rb @@ -0,0 +1,6 @@ +# frozen_string_literal: true +module CustomerRelations + class ContactPolicy < BasePolicy + delegate { @subject.group } + end +end diff --git a/app/policies/customer_relations/organization_policy.rb b/app/policies/customer_relations/organization_policy.rb new file mode 100644 index 00000000000..7bf8d6ff4cb --- /dev/null +++ b/app/policies/customer_relations/organization_policy.rb @@ -0,0 +1,6 @@ +# frozen_string_literal: true +module CustomerRelations + class OrganizationPolicy < BasePolicy + delegate { @subject.group } + end +end diff --git a/app/policies/dependency_proxy/blob_policy.rb b/app/policies/dependency_proxy/blob_policy.rb new file mode 100644 index 00000000000..42e023952d0 --- /dev/null +++ b/app/policies/dependency_proxy/blob_policy.rb @@ -0,0 +1,6 @@ +# frozen_string_literal: true +module DependencyProxy + class BlobPolicy < BasePolicy + delegate { @subject.group } + end +end diff --git a/app/policies/dependency_proxy/group_setting_policy.rb b/app/policies/dependency_proxy/group_setting_policy.rb new file mode 100644 index 00000000000..71de3cf93bd --- /dev/null +++ b/app/policies/dependency_proxy/group_setting_policy.rb @@ -0,0 +1,6 @@ +# frozen_string_literal: true +module DependencyProxy + class GroupSettingPolicy < BasePolicy + delegate { @subject.group } + end +end diff --git a/app/policies/dependency_proxy/image_ttl_group_policy_policy.rb b/app/policies/dependency_proxy/image_ttl_group_policy_policy.rb new file mode 100644 index 00000000000..cf7e1ded137 --- /dev/null +++ b/app/policies/dependency_proxy/image_ttl_group_policy_policy.rb @@ -0,0 +1,6 @@ +# frozen_string_literal: true +module DependencyProxy + class ImageTtlGroupPolicyPolicy < BasePolicy + delegate { @subject.group } + end +end diff --git a/app/policies/dependency_proxy/manifest_policy.rb b/app/policies/dependency_proxy/manifest_policy.rb new file mode 100644 index 00000000000..f2e91e45327 --- /dev/null +++ b/app/policies/dependency_proxy/manifest_policy.rb @@ -0,0 +1,6 @@ +# frozen_string_literal: true +module DependencyProxy + class ManifestPolicy < BasePolicy + delegate { @subject.group } + end +end diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 1d0aa54c1c0..7abffd2c352 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -89,6 +89,7 @@ class GroupPolicy < BasePolicy rule { guest }.policy do enable :read_group enable :upload_file + enable :guest_access end rule { admin }.policy do @@ -111,8 +112,13 @@ class GroupPolicy < BasePolicy enable :read_issue_board enable :read_group_member enable :read_custom_emoji + enable :read_counts + enable :read_organization + enable :read_contact end + rule { ~public_group & ~has_access }.prevent :read_counts + rule { ~can?(:read_group) }.policy do prevent :read_design_activity end @@ -127,6 +133,7 @@ class GroupPolicy < BasePolicy enable :create_custom_emoji enable :create_package enable :create_package_settings + enable :developer_access end rule { reporter }.policy do @@ -140,6 +147,7 @@ class GroupPolicy < BasePolicy enable :read_prometheus enable :read_package enable :read_package_settings + enable :admin_organization end rule { maintainer }.policy do @@ -155,6 +163,7 @@ class GroupPolicy < BasePolicy enable :read_deploy_token enable :create_jira_connect_subscription enable :update_runners_registration_token + enable :maintainer_access end rule { owner }.policy do @@ -170,6 +179,7 @@ class GroupPolicy < BasePolicy enable :update_default_branch_protection enable :create_deploy_token enable :destroy_deploy_token + enable :owner_access end rule { can?(:read_nested_project_resources) }.policy do @@ -223,8 +233,9 @@ class GroupPolicy < BasePolicy rule { dependency_proxy_access_allowed & dependency_proxy_available } .enable :read_dependency_proxy - rule { developer & dependency_proxy_available } - .enable :admin_dependency_proxy + rule { developer & dependency_proxy_available }.policy do + enable :admin_dependency_proxy + end rule { can?(:admin_group) & resource_access_token_feature_available }.policy do enable :read_resource_access_tokens diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb index 74bed6b6c4e..575e532c615 100644 --- a/app/policies/issue_policy.rb +++ b/app/policies/issue_policy.rb @@ -69,6 +69,14 @@ class IssuePolicy < IssuablePolicy rule { persisted & can?(:admin_issue) }.policy do enable :set_issue_metadata end + + rule { can?(:set_issue_metadata) }.policy do + enable :set_confidentiality + end + + rule { ~persisted & can?(:create_issue) }.policy do + enable :set_confidentiality + end end IssuePolicy.prepend_mod_with('IssuePolicy') diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb index 067f0f6a9d2..018c061af9f 100644 --- a/app/policies/user_policy.rb +++ b/app/policies/user_policy.rb @@ -25,6 +25,7 @@ class UserPolicy < BasePolicy enable :update_user_status enable :read_user_personal_access_tokens enable :read_group_count + enable :read_user_groups end rule { default }.enable :read_user_profile -- cgit v1.2.3