From 0ea3fcec397b69815975647f5e2aa5fe944a8486 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Mon, 20 Jun 2022 11:10:13 +0000 Subject: Add latest changes from gitlab-org/gitlab@15-1-stable-ee --- app/policies/group_policy.rb | 2 +- app/policies/issuable_policy.rb | 4 +++- app/policies/issue_policy.rb | 2 +- app/policies/packages/cleanup/policy_policy.rb | 9 +++++++++ app/policies/project_policy.rb | 28 ++++++++++++++++++++------ app/policies/work_item_policy.rb | 5 +++++ 6 files changed, 41 insertions(+), 9 deletions(-) create mode 100644 app/policies/packages/cleanup/policy_policy.rb (limited to 'app/policies') diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 9aae295aea7..6ca30ba5dab 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -76,7 +76,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy with_scope :subject condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? } - condition(:crm_enabled, score: 0, scope: :subject) { Feature.enabled?(:customer_relations, @subject) && @subject.crm_enabled? } + condition(:crm_enabled, score: 0, scope: :subject) { @subject.crm_enabled? } condition(:group_runner_registration_allowed) do Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('group') diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb index 4e6df79773e..f1efcb25331 100644 --- a/app/policies/issuable_policy.rb +++ b/app/policies/issuable_policy.rb @@ -13,7 +13,9 @@ class IssuablePolicy < BasePolicy condition(:is_author) { @subject&.author == @user } - rule { can?(:guest_access) & assignee_or_author }.policy do + condition(:is_incident) { @subject.incident? } + + rule { can?(:guest_access) & assignee_or_author & ~is_incident }.policy do enable :read_issue enable :update_issue enable :reopen_issue diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb index a341d1ef661..2b6dcc56fa0 100644 --- a/app/policies/issue_policy.rb +++ b/app/policies/issue_policy.rb @@ -15,7 +15,7 @@ class IssuePolicy < IssuablePolicy desc "Project belongs to a group, crm is enabled and user can read contacts in the root group" condition(:can_read_crm_contacts, scope: :subject) do subject.project.group&.crm_enabled? && - @user.can?(:read_crm_contact, @subject.project.root_ancestor) + (@user&.can?(:read_crm_contact, @subject.project.root_ancestor) || @user&.support_bot?) end desc "Issue is confidential" diff --git a/app/policies/packages/cleanup/policy_policy.rb b/app/policies/packages/cleanup/policy_policy.rb new file mode 100644 index 00000000000..6c2aacef174 --- /dev/null +++ b/app/policies/packages/cleanup/policy_policy.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +module Packages + module Cleanup + class PolicyPolicy < BasePolicy + delegate { @subject.project } + end + end +end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 7c439fe8b29..3bce26be756 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -4,12 +4,6 @@ class ProjectPolicy < BasePolicy include CrudPolicyHelpers include ReadonlyAbilities - desc "User is a project owner" - condition :owner do - (project.owner.present? && project.owner == @user) || - project.group&.has_owner?(@user) - end - desc "Project has public builds enabled" condition(:public_builds, scope: :subject, score: 0) { project.public_builds? } @@ -30,6 +24,17 @@ class ProjectPolicy < BasePolicy desc "User has maintainer access" condition(:maintainer) { team_access_level >= Gitlab::Access::MAINTAINER } + desc "User has owner access" + condition :owner do + owner_of_personal_namespace = project.owner.present? && project.owner == @user + + unless owner_of_personal_namespace + group_or_project_owner = team_access_level >= Gitlab::Access::OWNER + end + + owner_of_personal_namespace || group_or_project_owner + end + desc "User is a project bot" condition(:project_bot) { user.project_bot? && team_member? } @@ -198,6 +203,10 @@ class ProjectPolicy < BasePolicy Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('project') end + condition :registry_enabled do + Gitlab.config.registry.enabled + end + # `:read_project` may be prevented in EE, but `:read_project_for_iids` should # not. rule { guest | admin }.enable :read_project_for_iids @@ -236,6 +245,7 @@ class ProjectPolicy < BasePolicy enable :set_warn_about_potentially_unwanted_characters enable :register_project_runners + enable :manage_owners end rule { can?(:guest_access) }.policy do @@ -423,6 +433,7 @@ class ProjectPolicy < BasePolicy rule { can?(:maintainer_access) }.policy do enable :destroy_package + enable :admin_package enable :admin_issue_board enable :push_to_delete_protected_branch enable :update_snippet @@ -658,6 +669,7 @@ class ProjectPolicy < BasePolicy enable :read_design enable :read_design_activity enable :read_issue_link + enable :read_work_item end rule { can?(:developer_access) }.policy do @@ -752,6 +764,10 @@ class ProjectPolicy < BasePolicy enable :import_project_members_from_another_project end + rule { registry_enabled & can?(:admin_container_image) }.policy do + enable :view_package_registry_project_settings + end + private def user_is_user? diff --git a/app/policies/work_item_policy.rb b/app/policies/work_item_policy.rb index e191e8d26ca..ea7559592e1 100644 --- a/app/policies/work_item_policy.rb +++ b/app/policies/work_item_policy.rb @@ -8,4 +8,9 @@ class WorkItemPolicy < IssuePolicy rule { can?(:update_issue) }.enable :update_work_item rule { can?(:read_issue) }.enable :read_work_item + # because IssuePolicy delegates to ProjectPolicy and + # :read_work_item is enabled in ProjectPolicy too, we + # need to make sure we also prevent this rule if read_issue + # is prevented + rule { ~can?(:read_issue) }.prevent :read_work_item end -- cgit v1.2.3