From 41fe97390ceddf945f3d967b8fdb3de4c66b7dea Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Fri, 18 Mar 2022 20:02:30 +0000
Subject: Add latest changes from gitlab-org/gitlab@14-9-stable-ee

---
 app/policies/alert_management/alert_policy.rb |  2 ++
 app/policies/application_setting_policy.rb    |  5 ++++-
 app/policies/base_policy.rb                   |  2 +-
 app/policies/ci/runner_policy.rb              |  6 ++++++
 app/policies/global_policy.rb                 |  1 -
 app/policies/group_policy.rb                  |  7 +++----
 app/policies/issue_policy.rb                  |  2 +-
 app/policies/project_policy.rb                | 15 +++++++++++++--
 app/policies/user_policy.rb                   |  3 +++
 app/policies/users/saved_reply_policy.rb      |  7 +++++++
 app/policies/work_item_policy.rb              | 11 ++++-------
 11 files changed, 44 insertions(+), 17 deletions(-)
 create mode 100644 app/policies/users/saved_reply_policy.rb

(limited to 'app/policies')

diff --git a/app/policies/alert_management/alert_policy.rb b/app/policies/alert_management/alert_policy.rb
index 85fafcde2cc..e2383921c82 100644
--- a/app/policies/alert_management/alert_policy.rb
+++ b/app/policies/alert_management/alert_policy.rb
@@ -5,3 +5,5 @@ module AlertManagement
     delegate { @subject.project }
   end
 end
+
+AlertManagement::AlertPolicy.prepend_mod
diff --git a/app/policies/application_setting_policy.rb b/app/policies/application_setting_policy.rb
index 114c71fd99d..6d0b5f36fa4 100644
--- a/app/policies/application_setting_policy.rb
+++ b/app/policies/application_setting_policy.rb
@@ -1,5 +1,8 @@
 # frozen_string_literal: true
 
 class ApplicationSettingPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedClass
-  rule { admin }.enable :read_application_setting
+  rule { admin }.policy do
+    enable :read_application_setting
+    enable :update_runners_registration_token
+  end
 end
diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb
index 77897c5807f..f8e7a912896 100644
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -67,7 +67,7 @@ class BasePolicy < DeclarativePolicy::Base
 
   rule { default }.enable :read_cross_project
 
-  condition(:is_gitlab_com, score: 0, scope: :global) { ::Gitlab.dev_env_or_com? }
+  condition(:is_gitlab_com, score: 0, scope: :global) { ::Gitlab.com? }
 end
 
 BasePolicy.prepend_mod_with('BasePolicy')
diff --git a/app/policies/ci/runner_policy.rb b/app/policies/ci/runner_policy.rb
index bdbe7021276..6dfe9cc496b 100644
--- a/app/policies/ci/runner_policy.rb
+++ b/app/policies/ci/runner_policy.rb
@@ -9,6 +9,10 @@ module Ci
       @user.owns_runner?(@subject)
     end
 
+    condition(:belongs_to_multiple_projects) do
+      @subject.belongs_to_more_than_one_project?
+    end
+
     rule { anonymous }.prevent_all
 
     rule { admin }.policy do
@@ -22,6 +26,8 @@ module Ci
       enable :delete_runner
     end
 
+    rule { ~admin & belongs_to_multiple_projects }.prevent :delete_runner
+
     rule { ~admin & locked }.prevent :assign_runner
   end
 end
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index 2a2ddf29899..fa7b117f3cd 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -115,7 +115,6 @@ class GlobalPolicy < BasePolicy
     enable :approve_user
     enable :reject_user
     enable :read_usage_trends_measurement
-    enable :update_runners_registration_token
   end
 
   # We can't use `read_statistics` because the user may have different permissions for different projects
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 76e5b3ece53..7a49ad3d4aa 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -80,9 +80,8 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
 
   condition(:crm_enabled, score: 0, scope: :subject) { Feature.enabled?(:customer_relations, @subject) && @subject.crm_enabled? }
 
-  with_scope :subject
-  condition(:group_runner_registration_allowed, score: 0, scope: :subject) do
-    Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('group')
+  condition(:group_runner_registration_allowed) do
+    Feature.disabled?(:runner_registration_control, default_enabled: :yaml) || Gitlab::CurrentSettings.valid_runner_registrars.include?('group')
   end
 
   rule { can?(:read_group) & design_management_enabled }.policy do
@@ -280,7 +279,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     prevent :admin_crm_organization
   end
 
-  rule { ~group_runner_registration_allowed }.policy do
+  rule { ~admin & ~group_runner_registration_allowed }.policy do
     prevent :register_group_runners
   end
 
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index c9c13b29643..a667c843bc6 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -13,7 +13,7 @@ class IssuePolicy < IssuablePolicy
   end
 
   desc "User can read contacts belonging to the issue group"
-  condition(:can_read_crm_contacts, scope: :subject) { @user.can?(:read_crm_contact, @subject.project.group) }
+  condition(:can_read_crm_contacts, scope: :subject) { @user.can?(:read_crm_contact, @subject.project.root_ancestor) }
 
   desc "Issue is confidential"
   condition(:confidential, scope: :subject) { @subject.confidential? }
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 4cc5ed06d61..09085bef9f0 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -194,6 +194,10 @@ class ProjectPolicy < BasePolicy
     condition(:"#{f}_disabled", score: 32) { !access_allowed_to?(f.to_sym) }
   end
 
+  condition(:project_runner_registration_allowed) do
+    Feature.disabled?(:runner_registration_control, default_enabled: :yaml) || Gitlab::CurrentSettings.valid_runner_registrars.include?('project')
+  end
+
   # `:read_project` may be prevented in EE, but `:read_project_for_iids` should
   # not.
   rule { guest | admin }.enable :read_project_for_iids
@@ -230,6 +234,8 @@ class ProjectPolicy < BasePolicy
     enable :set_emails_disabled
     enable :set_show_default_award_emojis
     enable :set_warn_about_potentially_unwanted_characters
+
+    enable :register_project_runners
   end
 
   rule { can?(:guest_access) }.policy do
@@ -264,8 +270,6 @@ class ProjectPolicy < BasePolicy
     enable :create_work_item
   end
 
-  rule { can?(:update_issue) }.enable :update_work_item
-
   # These abilities are not allowed to admins that are not members of the project,
   # that's why they are defined separately.
   rule { guest & can?(:download_code) }.enable :build_download_code
@@ -409,6 +413,7 @@ class ProjectPolicy < BasePolicy
     enable :admin_feature_flag
     enable :admin_feature_flags_user_lists
     enable :update_escalation_status
+    enable :read_secure_files
   end
 
   rule { can?(:developer_access) & user_confirmed? }.policy do
@@ -455,8 +460,10 @@ class ProjectPolicy < BasePolicy
     enable :update_freeze_period
     enable :destroy_freeze_period
     enable :admin_feature_flags_client
+    enable :register_project_runners
     enable :update_runners_registration_token
     enable :admin_project_google_cloud
+    enable :admin_secure_files
   end
 
   rule { public_project & metrics_dashboard_allowed }.policy do
@@ -729,6 +736,10 @@ class ProjectPolicy < BasePolicy
     enable :access_security_and_compliance
   end
 
+  rule { ~admin & ~project_runner_registration_allowed }.policy do
+    prevent :register_project_runners
+  end
+
   private
 
   def user_is_user?
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
index 018c061af9f..de99cbffb6f 100644
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -23,9 +23,12 @@ class UserPolicy < BasePolicy
     enable :destroy_user
     enable :update_user
     enable :update_user_status
+    enable :create_saved_replies
+    enable :update_saved_replies
     enable :read_user_personal_access_tokens
     enable :read_group_count
     enable :read_user_groups
+    enable :read_saved_replies
   end
 
   rule { default }.enable :read_user_profile
diff --git a/app/policies/users/saved_reply_policy.rb b/app/policies/users/saved_reply_policy.rb
new file mode 100644
index 00000000000..be76c526012
--- /dev/null
+++ b/app/policies/users/saved_reply_policy.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Users
+  class SavedReplyPolicy < BasePolicy
+    delegate { @subject.user }
+  end
+end
diff --git a/app/policies/work_item_policy.rb b/app/policies/work_item_policy.rb
index 7ba5102a406..b4723bc7ed8 100644
--- a/app/policies/work_item_policy.rb
+++ b/app/policies/work_item_policy.rb
@@ -1,12 +1,9 @@
 # frozen_string_literal: true
 
-class WorkItemPolicy < BasePolicy
-  delegate { @subject.project }
+class WorkItemPolicy < IssuePolicy
+  rule { can?(:owner_access) | is_author }.enable :delete_work_item
 
-  desc 'User is author of the work item'
-  condition(:author) do
-    @user && @user == @subject.author
-  end
+  rule { can?(:update_issue) }.enable :update_work_item
 
-  rule { can?(:owner_access) | author }.enable :delete_work_item
+  rule { can?(:read_issue) }.enable :read_work_item
 end
-- 
cgit v1.2.3