From 0c872e02b2c822e3397515ec324051ff540f0cd5 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Tue, 20 Dec 2022 14:22:11 +0000 Subject: Add latest changes from gitlab-org/gitlab@15-7-stable-ee --- app/policies/base_policy.rb | 11 +++-- app/policies/ci/freeze_period_policy.rb | 2 +- .../ci/pipeline_schedule_variable_policy.rb | 7 +++ .../commit_signatures/ssh_signature_policy.rb | 7 +++ app/policies/concerns/archived_abilities.rb | 53 ++++++++++++++++++++++ app/policies/concerns/readonly_abilities.rb | 53 ---------------------- app/policies/group_member_policy.rb | 2 +- app/policies/group_policy.rb | 5 +- app/policies/issue_policy.rb | 19 +++++++- app/policies/merge_request_policy.rb | 14 +++++- app/policies/namespaces/user_namespace_policy.rb | 3 ++ app/policies/note_policy.rb | 8 ++++ app/policies/project_member_policy.rb | 2 +- app/policies/project_policy.rb | 35 ++++---------- 14 files changed, 132 insertions(+), 89 deletions(-) create mode 100644 app/policies/ci/pipeline_schedule_variable_policy.rb create mode 100644 app/policies/commit_signatures/ssh_signature_policy.rb create mode 100644 app/policies/concerns/archived_abilities.rb delete mode 100644 app/policies/concerns/readonly_abilities.rb (limited to 'app/policies') diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb index f8e7a912896..1ce866bd910 100644 --- a/app/policies/base_policy.rb +++ b/app/policies/base_policy.rb @@ -19,6 +19,14 @@ class BasePolicy < DeclarativePolicy::Base with_options scope: :user, score: 0 condition(:deactivated) { @user&.deactivated? } + desc "User is bot" + with_options scope: :user, score: 0 + condition(:bot) { @user&.bot? } + + desc "User is alert bot" + with_options scope: :user, score: 0 + condition(:alert_bot) { @user&.alert_bot? } + desc "User is support bot" with_options scope: :user, score: 0 condition(:support_bot) { @user&.support_bot? } @@ -50,9 +58,6 @@ class BasePolicy < DeclarativePolicy::Base ::Gitlab::ExternalAuthorization.perform_check? end - with_options scope: :user, score: 0 - condition(:alert_bot) { @user&.alert_bot? } - rule { external_authorization_enabled & ~can?(:read_all_resources) }.policy do prevent :read_cross_project end diff --git a/app/policies/ci/freeze_period_policy.rb b/app/policies/ci/freeze_period_policy.rb index 60e53a7b2f9..9e2cca5e5a2 100644 --- a/app/policies/ci/freeze_period_policy.rb +++ b/app/policies/ci/freeze_period_policy.rb @@ -2,6 +2,6 @@ module Ci class FreezePeriodPolicy < BasePolicy - delegate { @subject.resource_parent } + delegate { @subject.project } end end diff --git a/app/policies/ci/pipeline_schedule_variable_policy.rb b/app/policies/ci/pipeline_schedule_variable_policy.rb new file mode 100644 index 00000000000..dbbf9221e77 --- /dev/null +++ b/app/policies/ci/pipeline_schedule_variable_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +module Ci + class PipelineScheduleVariablePolicy < BasePolicy + delegate :pipeline_schedule + end +end diff --git a/app/policies/commit_signatures/ssh_signature_policy.rb b/app/policies/commit_signatures/ssh_signature_policy.rb new file mode 100644 index 00000000000..34c8f123029 --- /dev/null +++ b/app/policies/commit_signatures/ssh_signature_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +module CommitSignatures + class SshSignaturePolicy < BasePolicy + delegate { @subject.project } + end +end diff --git a/app/policies/concerns/archived_abilities.rb b/app/policies/concerns/archived_abilities.rb new file mode 100644 index 00000000000..b4dfad599c7 --- /dev/null +++ b/app/policies/concerns/archived_abilities.rb @@ -0,0 +1,53 @@ +# frozen_string_literal: true + +module ArchivedAbilities + extend ActiveSupport::Concern + + ARCHIVED_ABILITIES = %i[ + admin_tag + push_code + push_to_delete_protected_branch + request_access + upload_file + resolve_note + create_merge_request_from + create_merge_request_in + award_emoji + create_incident + ].freeze + + ARCHIVED_FEATURES = %i[ + issue + issue_board_list + merge_request + label + milestone + snippet + wiki + design + note + pipeline + pipeline_schedule + build + trigger + environment + deployment + commit_status + container_image + pages + cluster + release + ].freeze + + class_methods do + def archived_abilities + ARCHIVED_ABILITIES + end + + def archived_features + ARCHIVED_FEATURES + end + end +end + +ArchivedAbilities::ClassMethods.prepend_mod_with('ArchivedAbilities::ClassMethods') diff --git a/app/policies/concerns/readonly_abilities.rb b/app/policies/concerns/readonly_abilities.rb deleted file mode 100644 index 300f17088b7..00000000000 --- a/app/policies/concerns/readonly_abilities.rb +++ /dev/null @@ -1,53 +0,0 @@ -# frozen_string_literal: true - -module ReadonlyAbilities - extend ActiveSupport::Concern - - READONLY_ABILITIES = %i[ - admin_tag - push_code - push_to_delete_protected_branch - request_access - upload_file - resolve_note - create_merge_request_from - create_merge_request_in - award_emoji - create_incident - ].freeze - - READONLY_FEATURES = %i[ - issue - issue_board_list - merge_request - label - milestone - snippet - wiki - design - note - pipeline - pipeline_schedule - build - trigger - environment - deployment - commit_status - container_image - pages - cluster - release - ].freeze - - class_methods do - def readonly_abilities - READONLY_ABILITIES - end - - def readonly_features - READONLY_FEATURES - end - end -end - -ReadonlyAbilities::ClassMethods.prepend_mod_with('ReadonlyAbilities::ClassMethods') diff --git a/app/policies/group_member_policy.rb b/app/policies/group_member_policy.rb index f61f758a8e8..78ab9fc750b 100644 --- a/app/policies/group_member_policy.rb +++ b/app/policies/group_member_policy.rb @@ -6,7 +6,7 @@ class GroupMemberPolicy < BasePolicy delegate :group with_scope :subject - condition(:last_owner) { @subject.group.member_last_owner?(@subject) || @subject.group.member_last_blocked_owner?(@subject) } + condition(:last_owner) { @subject.last_owner_of_the_group? } condition(:project_bot) { @subject.user&.project_bot? && @subject.group.member?(@subject.user) } desc "Membership is users' own" diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 806c57bab74..858c145de3f 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -83,8 +83,8 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy with_scope :subject condition(:crm_enabled, score: 0, scope: :subject) { @subject.crm_enabled? } - condition(:group_runner_registration_allowed, scope: :global) do - Gitlab::CurrentSettings.valid_runner_registrars.include?('group') + condition(:group_runner_registration_allowed, scope: :subject) do + Gitlab::CurrentSettings.valid_runner_registrars.include?('group') && @subject.runner_registration_enabled? end rule { can?(:read_group) & design_management_enabled }.policy do @@ -193,6 +193,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :admin_group_member enable :change_visibility_level + enable :read_usage_quotas enable :read_group_runners enable :admin_group_runners enable :register_group_runners diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb index 87db228a698..491eebe9daf 100644 --- a/app/policies/issue_policy.rb +++ b/app/policies/issue_policy.rb @@ -9,7 +9,7 @@ class IssuePolicy < IssuablePolicy desc "User can read confidential issues" condition(:can_read_confidential) do - @user && IssueCollection.new([@subject]).visible_to(@user).any? + @user && (@user.admin? || can?(:reporter_access) || assignee_or_author?) # rubocop:disable Cop/UserAdmin end desc "Project belongs to a group, crm is enabled and user can read contacts in the root group" @@ -27,6 +27,23 @@ class IssuePolicy < IssuablePolicy desc "Issue is persisted" condition(:persisted, scope: :subject) { @subject.persisted? } + # accessing notes requires the notes widget to be available for work items(or issue) + condition(:notes_widget_enabled, scope: :subject) do + @subject.work_item_type.widgets.include?(::WorkItems::Widgets::Notes) + end + + rule { ~notes_widget_enabled }.policy do + prevent :create_note + prevent :read_note + prevent :read_internal_note + prevent :set_note_created_at + prevent :mark_note_as_confidential + # these actions on notes are not available on issues/work items yet, + # but preventing any action on work item notes as long as there is no notes widget seems reasonable + prevent :resolve_note + prevent :reposition_note + end + rule { confidential & ~can_read_confidential }.policy do prevent(*create_read_update_admin_destroy(:issue)) prevent :read_issue_iid diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb index bda327cb661..1759cf057e4 100644 --- a/app/policies/merge_request_policy.rb +++ b/app/policies/merge_request_policy.rb @@ -1,6 +1,8 @@ # frozen_string_literal: true class MergeRequestPolicy < IssuablePolicy + condition(:can_approve) { can_approve? } + rule { locked }.policy do prevent :reopen_merge_request end @@ -14,10 +16,14 @@ class MergeRequestPolicy < IssuablePolicy prevent :accept_merge_request end - rule { can?(:update_merge_request) & is_project_member }.policy do + rule { can_approve }.policy do enable :approve_merge_request end + rule { can?(:approve_merge_request) & bot }.policy do + enable :reset_merge_request_approvals + end + rule { ~anonymous & can?(:read_merge_request) }.policy do enable :create_todo enable :update_subscription @@ -32,6 +38,12 @@ class MergeRequestPolicy < IssuablePolicy rule { can?(:admin_merge_request) }.policy do enable :set_merge_request_metadata end + + private + + def can_approve? + can?(:update_merge_request) && is_project_member? + end end MergeRequestPolicy.prepend_mod_with('MergeRequestPolicy') diff --git a/app/policies/namespaces/user_namespace_policy.rb b/app/policies/namespaces/user_namespace_policy.rb index 89158578ac1..1deeae8241f 100644 --- a/app/policies/namespaces/user_namespace_policy.rb +++ b/app/policies/namespaces/user_namespace_policy.rb @@ -5,6 +5,7 @@ module Namespaces rule { anonymous }.prevent_all condition(:can_create_personal_project, scope: :user) { @user.can_create_project? } + condition(:bot_user_namespace) { @subject.bot_user_namespace? } condition(:owner) { @subject.owner == @user } rule { owner | admin }.policy do @@ -21,6 +22,8 @@ module Namespaces rule { ~can_create_personal_project }.prevent :create_projects + rule { bot_user_namespace }.prevent :create_projects + rule { (owner | admin) & can?(:create_projects) }.enable :transfer_projects end end diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb index 67b57595beb..9fd95bbe42d 100644 --- a/app/policies/note_policy.rb +++ b/app/policies/note_policy.rb @@ -20,12 +20,20 @@ class NotePolicy < BasePolicy condition(:confidential, scope: :subject) { @subject.confidential? } + # if noteable is a work item it needs to check the notes widget availability + condition(:notes_widget_enabled, scope: :subject) do + !@subject.noteable.respond_to?(:work_item_type) || + @subject.noteable.work_item_type.widgets.include?(::WorkItems::Widgets::Notes) + end + # Should be matched with IssuablePolicy#read_internal_note # and EpicPolicy#read_internal_note condition(:can_read_confidential) do access_level >= Gitlab::Access::REPORTER || admin? end + rule { ~notes_widget_enabled }.prevent_all + rule { ~editable }.prevent :admin_note # If user can't read the issue/MR/etc then they should not be allowed to do anything to their own notes diff --git a/app/policies/project_member_policy.rb b/app/policies/project_member_policy.rb index bcfc7c87d41..ace74dca448 100644 --- a/app/policies/project_member_policy.rb +++ b/app/policies/project_member_policy.rb @@ -5,7 +5,7 @@ class ProjectMemberPolicy < BasePolicy delegate { @subject.project } condition(:target_is_holder_of_the_personal_namespace, scope: :subject) do - @subject.project.personal_namespace_holder?(@subject.user) + @subject.holder_of_the_personal_namespace? end desc "Membership is users' own access request" diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index bfeb1a602ab..7f67e80e432 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -2,7 +2,7 @@ class ProjectPolicy < BasePolicy include CrudPolicyHelpers - include ReadonlyAbilities + include ArchivedAbilities desc "Project has public builds enabled" condition(:public_builds, scope: :subject, score: 0) { project.public_builds? } @@ -121,7 +121,7 @@ class ProjectPolicy < BasePolicy desc "If user is authenticated via CI job token then the target project should be in scope" condition(:project_allowed_for_job_token) do - !@user&.from_ci_job_token? || @user.ci_job_token_scope.includes?(project) + !@user&.from_ci_job_token? || @user.ci_job_token_scope.allows?(project) end with_scope :subject @@ -369,29 +369,12 @@ class ProjectPolicy < BasePolicy prevent(:metrics_dashboard) end - condition(:split_operations_visibility_permissions) do - ::Feature.enabled?(:split_operations_visibility_permissions, @subject) - end - - rule { ~split_operations_visibility_permissions & operations_disabled }.policy do - prevent(*create_read_update_admin_destroy(:feature_flag)) - prevent(*create_read_update_admin_destroy(:environment)) - prevent(*create_read_update_admin_destroy(:sentry_issue)) - prevent(*create_read_update_admin_destroy(:alert_management_alert)) - prevent(*create_read_update_admin_destroy(:cluster)) - prevent(*create_read_update_admin_destroy(:terraform_state)) - prevent(*create_read_update_admin_destroy(:deployment)) - prevent(:metrics_dashboard) - prevent(:read_pod_logs) - prevent(:read_prometheus) - end - - rule { split_operations_visibility_permissions & environments_disabled }.policy do + rule { environments_disabled }.policy do prevent(*create_read_update_admin_destroy(:environment)) prevent(*create_read_update_admin_destroy(:deployment)) end - rule { split_operations_visibility_permissions & feature_flags_disabled }.policy do + rule { feature_flags_disabled }.policy do prevent(*create_read_update_admin_destroy(:feature_flag)) prevent(:admin_feature_flags_user_lists) prevent(:admin_feature_flags_client) @@ -401,13 +384,13 @@ class ProjectPolicy < BasePolicy prevent(*create_read_update_admin_destroy(:release)) end - rule { split_operations_visibility_permissions & monitor_disabled }.policy do + rule { monitor_disabled }.policy do prevent(:metrics_dashboard) prevent(*create_read_update_admin_destroy(:sentry_issue)) prevent(*create_read_update_admin_destroy(:alert_management_alert)) end - rule { split_operations_visibility_permissions & infrastructure_disabled }.policy do + rule { infrastructure_disabled }.policy do prevent(*create_read_update_admin_destroy(:terraform_state)) prevent(*create_read_update_admin_destroy(:cluster)) prevent(:read_pod_logs) @@ -552,15 +535,15 @@ class ProjectPolicy < BasePolicy rule { can?(:push_code) }.enable :admin_tag rule { archived }.policy do - prevent(*readonly_abilities) + prevent(*archived_abilities) - readonly_features.each do |feature| + archived_features.each do |feature| prevent(*create_update_admin(feature)) end end rule { archived & ~pending_delete }.policy do - readonly_features.each do |feature| + archived_features.each do |feature| prevent(:"destroy_#{feature}") end end -- cgit v1.2.3