From 36a59d088eca61b834191dacea009677a96c052f Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Thu, 19 May 2022 07:33:21 +0000 Subject: Add latest changes from gitlab-org/gitlab@15-0-stable-ee --- app/policies/group_policy.rb | 34 +++++++++++++++------- .../incident_management/timeline_event_policy.rb | 7 +++++ app/policies/issuable_policy.rb | 8 +++++ app/policies/issue_policy.rb | 11 +++++-- app/policies/namespace_ci_cd_setting_policy.rb | 5 ++++ app/policies/namespaces/user_namespace_policy.rb | 3 +- app/policies/project_policy.rb | 4 +-- app/policies/timelog_policy.rb | 7 +++++ app/policies/work_item_policy.rb | 4 ++- 9 files changed, 65 insertions(+), 18 deletions(-) create mode 100644 app/policies/incident_management/timeline_event_policy.rb create mode 100644 app/policies/namespace_ci_cd_setting_policy.rb (limited to 'app/policies') diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 7a49ad3d4aa..a4600c720a3 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -22,6 +22,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy condition(:share_with_group_locked, scope: :subject) { @subject.share_with_group_lock? } condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? } condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) } + condition(:migration_bot, scope: :user) { @user.migration_bot? } desc "User is a project bot" condition(:project_bot) { user.project_bot? && access_level >= GroupMember::GUEST } @@ -54,11 +55,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy end condition(:dependency_proxy_access_allowed) do - if Feature.enabled?(:dependency_proxy_for_private_groups, default_enabled: true) - access_level(for_any_session: true) >= GroupMember::GUEST || valid_dependency_proxy_deploy_token - else - can?(:read_group) - end + access_level(for_any_session: true) >= GroupMember::GUEST || valid_dependency_proxy_deploy_token end desc "Deploy token with read_package_registry scope" @@ -81,7 +78,11 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy condition(:crm_enabled, score: 0, scope: :subject) { Feature.enabled?(:customer_relations, @subject) && @subject.crm_enabled? } condition(:group_runner_registration_allowed) do - Feature.disabled?(:runner_registration_control, default_enabled: :yaml) || Gitlab::CurrentSettings.valid_runner_registrars.include?('group') + Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('group') + end + + condition(:change_prevent_sharing_groups_outside_hierarchy_available) do + change_prevent_sharing_groups_outside_hierarchy_available? end rule { can?(:read_group) & design_management_enabled }.policy do @@ -134,13 +135,11 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy rule { has_access }.enable :read_namespace rule { developer }.policy do - enable :admin_milestone enable :create_metrics_dashboard_annotation enable :delete_metrics_dashboard_annotation enable :update_metrics_dashboard_annotation enable :create_custom_emoji enable :create_package - enable :create_package_settings enable :developer_access enable :admin_crm_organization enable :admin_crm_contact @@ -152,18 +151,19 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_container_image enable :admin_issue_board enable :admin_label + enable :admin_milestone enable :admin_issue_board_list enable :admin_issue enable :read_metrics_dashboard_annotation enable :read_prometheus enable :read_package - enable :read_package_settings enable :read_crm_organization enable :read_crm_contact end rule { maintainer }.policy do enable :destroy_package + enable :admin_package enable :create_projects enable :admin_pipeline enable :admin_build @@ -188,7 +188,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :set_note_created_at enable :set_emails_disabled - enable :change_prevent_sharing_groups_outside_hierarchy enable :change_new_user_signups_cap enable :update_default_branch_protection enable :create_deploy_token @@ -197,6 +196,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :owner_access end + rule { owner & change_prevent_sharing_groups_outside_hierarchy_available }.policy do + enable :change_prevent_sharing_groups_outside_hierarchy + end + rule { can?(:read_nested_project_resources) }.policy do enable :read_group_activity enable :read_group_issues @@ -248,7 +251,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy rule { dependency_proxy_access_allowed & dependency_proxy_available } .enable :read_dependency_proxy - rule { developer & dependency_proxy_available }.policy do + rule { maintainer & dependency_proxy_available }.policy do enable :admin_dependency_proxy end @@ -283,6 +286,11 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy prevent :register_group_runners end + rule { migration_bot }.policy do + enable :read_resource_access_tokens + enable :destroy_resource_access_tokens + end + def access_level(for_any_session: false) return GroupMember::NO_ACCESS if @user.nil? return GroupMember::NO_ACCESS unless user_is_user? @@ -315,6 +323,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy def valid_dependency_proxy_deploy_token @user.is_a?(DeployToken) && @user&.valid_for_dependency_proxy? && @user&.has_access_to_group?(@subject) end + + def change_prevent_sharing_groups_outside_hierarchy_available? + true + end end GroupPolicy.prepend_mod_with('GroupPolicy') diff --git a/app/policies/incident_management/timeline_event_policy.rb b/app/policies/incident_management/timeline_event_policy.rb new file mode 100644 index 00000000000..514a2bf0a56 --- /dev/null +++ b/app/policies/incident_management/timeline_event_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +module IncidentManagement + class TimelineEventPolicy < ::BasePolicy + delegate { @subject.incident } + end +end diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb index ed5a0f24ed0..4e6df79773e 100644 --- a/app/policies/issuable_policy.rb +++ b/app/policies/issuable_policy.rb @@ -34,6 +34,14 @@ class IssuablePolicy < BasePolicy prevent :resolve_note prevent :award_emoji end + + rule { can?(:read_issue) }.policy do + enable :read_incident_management_timeline_event + end + + rule { can?(:read_issue) & can?(:developer_access) }.policy do + enable :admin_incident_management_timeline_event + end end IssuablePolicy.prepend_mod_with('IssuablePolicy') diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb index a667c843bc6..a341d1ef661 100644 --- a/app/policies/issue_policy.rb +++ b/app/policies/issue_policy.rb @@ -12,8 +12,11 @@ class IssuePolicy < IssuablePolicy @user && IssueCollection.new([@subject]).visible_to(@user).any? end - desc "User can read contacts belonging to the issue group" - condition(:can_read_crm_contacts, scope: :subject) { @user.can?(:read_crm_contact, @subject.project.root_ancestor) } + desc "Project belongs to a group, crm is enabled and user can read contacts in the root group" + condition(:can_read_crm_contacts, scope: :subject) do + subject.project.group&.crm_enabled? && + @user.can?(:read_crm_contact, @subject.project.root_ancestor) + end desc "Issue is confidential" condition(:confidential, scope: :subject) { @subject.confidential? } @@ -81,6 +84,10 @@ class IssuePolicy < IssuablePolicy enable :set_confidentiality end + rule { can_read_crm_contacts }.policy do + enable :read_crm_contacts + end + rule { can?(:set_issue_metadata) & can_read_crm_contacts }.policy do enable :set_issue_crm_contacts end diff --git a/app/policies/namespace_ci_cd_setting_policy.rb b/app/policies/namespace_ci_cd_setting_policy.rb new file mode 100644 index 00000000000..d883526b86d --- /dev/null +++ b/app/policies/namespace_ci_cd_setting_policy.rb @@ -0,0 +1,5 @@ +# frozen_string_literal: true + +class NamespaceCiCdSettingPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedClass + delegate { @subject.namespace } +end diff --git a/app/policies/namespaces/user_namespace_policy.rb b/app/policies/namespaces/user_namespace_policy.rb index 09b0f5d608d..028247497e5 100644 --- a/app/policies/namespaces/user_namespace_policy.rb +++ b/app/policies/namespaces/user_namespace_policy.rb @@ -14,8 +14,7 @@ module Namespaces enable :read_namespace enable :read_statistics enable :create_jira_connect_subscription - enable :create_package_settings - enable :read_package_settings + enable :admin_package end rule { ~can_create_personal_project }.prevent :create_projects diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 68b288bdc87..60519dc346b 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -195,7 +195,7 @@ class ProjectPolicy < BasePolicy end condition(:project_runner_registration_allowed) do - Feature.disabled?(:runner_registration_control, default_enabled: :yaml) || Gitlab::CurrentSettings.valid_runner_registrars.include?('project') + Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('project') end # `:read_project` may be prevented in EE, but `:read_project_for_iids` should @@ -285,6 +285,7 @@ class ProjectPolicy < BasePolicy enable :reopen_issue enable :admin_issue enable :admin_label + enable :admin_milestone enable :admin_issue_board_list enable :admin_issue_link enable :read_commit_status @@ -370,7 +371,6 @@ class ProjectPolicy < BasePolicy enable :create_package enable :admin_issue_board enable :admin_merge_request - enable :admin_milestone enable :update_merge_request enable :reopen_merge_request enable :create_commit_status diff --git a/app/policies/timelog_policy.rb b/app/policies/timelog_policy.rb index f71c4204639..02380604c60 100644 --- a/app/policies/timelog_policy.rb +++ b/app/policies/timelog_policy.rb @@ -2,4 +2,11 @@ class TimelogPolicy < BasePolicy delegate { @subject.issuable } + + desc "User who created the timelog" + condition(:is_author) { @user && @subject.user == @user } + + rule { is_author | can?(:maintainer_access) }.policy do + enable :admin_timelog + end end diff --git a/app/policies/work_item_policy.rb b/app/policies/work_item_policy.rb index b4723bc7ed8..e191e8d26ca 100644 --- a/app/policies/work_item_policy.rb +++ b/app/policies/work_item_policy.rb @@ -1,7 +1,9 @@ # frozen_string_literal: true class WorkItemPolicy < IssuePolicy - rule { can?(:owner_access) | is_author }.enable :delete_work_item + condition(:is_member_and_author) { is_project_member? & is_author? } + + rule { can?(:destroy_issue) | is_member_and_author }.enable :delete_work_item rule { can?(:update_issue) }.enable :update_work_item -- cgit v1.2.3