From 8c7f4e9d5f36cff46365a7f8c4b9c21578c1e781 Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Thu, 18 Jun 2020 11:18:50 +0000 Subject: Add latest changes from gitlab-org/gitlab@13-1-stable-ee --- app/policies/ci/build_policy.rb | 22 ++++++++++++++ app/policies/container_expiration_policy_policy.rb | 5 ++++ app/policies/draft_note_policy.rb | 13 ++++++++ app/policies/project_policy.rb | 35 +++++++++++----------- app/policies/releases/link_policy.rb | 7 +++++ app/policies/releases/source_policy.rb | 13 ++++++++ 6 files changed, 77 insertions(+), 18 deletions(-) create mode 100644 app/policies/container_expiration_policy_policy.rb create mode 100644 app/policies/draft_note_policy.rb create mode 100644 app/policies/releases/link_policy.rb create mode 100644 app/policies/releases/source_policy.rb (limited to 'app/policies') diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index 12892a69257..0879a740f8a 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -36,6 +36,10 @@ module Ci @subject.has_terminal? end + condition(:is_web_ide_terminal, scope: :subject) do + @subject.pipeline.webide? + end + rule { protected_ref | archived }.policy do prevent :update_build prevent :update_commit_status @@ -50,6 +54,24 @@ module Ci end rule { can?(:update_build) & terminal }.enable :create_build_terminal + + rule { is_web_ide_terminal & can?(:create_web_ide_terminal) & (admin | owner_of_job) }.policy do + enable :read_web_ide_terminal + enable :update_web_ide_terminal + end + + rule { is_web_ide_terminal & ~can?(:update_web_ide_terminal) }.policy do + prevent :create_build_terminal + end + + rule { can?(:update_web_ide_terminal) & terminal }.policy do + enable :create_build_terminal + enable :create_build_service_proxy + end + + rule { ~can?(:build_service_proxy_enabled) }.policy do + prevent :create_build_service_proxy + end end end diff --git a/app/policies/container_expiration_policy_policy.rb b/app/policies/container_expiration_policy_policy.rb new file mode 100644 index 00000000000..709435f47d3 --- /dev/null +++ b/app/policies/container_expiration_policy_policy.rb @@ -0,0 +1,5 @@ +# frozen_string_literal: true + +class ContainerExpirationPolicyPolicy < BasePolicy + delegate { @subject.project } +end diff --git a/app/policies/draft_note_policy.rb b/app/policies/draft_note_policy.rb new file mode 100644 index 00000000000..be99d12c5f8 --- /dev/null +++ b/app/policies/draft_note_policy.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +class DraftNotePolicy < BasePolicy + delegate { @subject.merge_request } + + condition(:is_author) { @user && @subject.author == @user } + + rule { is_author }.policy do + enable :read_note + enable :admin_note + enable :resolve_note + end +end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 8df4fc5e88c..f87c72007ec 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -147,6 +147,10 @@ class ProjectPolicy < BasePolicy @user && @user.confirmed? end + condition(:build_service_proxy_enabled) do + ::Feature.enabled?(:build_service_proxy, @subject) + end + features = %w[ merge_requests issues @@ -278,7 +282,6 @@ class ProjectPolicy < BasePolicy rule { can?(:metrics_dashboard) }.policy do enable :read_prometheus - enable :read_environment enable :read_deployment end @@ -429,27 +432,11 @@ class ProjectPolicy < BasePolicy rule { builds_disabled | repository_disabled }.policy do prevent(*create_read_update_admin_destroy(:build)) prevent(*create_read_update_admin_destroy(:pipeline_schedule)) + prevent(*create_read_update_admin_destroy(:environment)) prevent(*create_read_update_admin_destroy(:cluster)) prevent(*create_read_update_admin_destroy(:deployment)) end - # Enabling `read_environment` specifically for the condition of `metrics_dashboard_allowed` is - # necessary due to the route for metrics dashboard requiring an environment id. - # This will be addressed in https://gitlab.com/gitlab-org/gitlab/-/issues/213833 when - # environments and metrics are decoupled and these rules will be removed. - - rule { (builds_disabled | repository_disabled) & ~metrics_dashboard_allowed}.policy do - prevent(*create_read_update_admin_destroy(:environment)) - end - - rule { (builds_disabled | repository_disabled) & metrics_dashboard_allowed}.policy do - prevent :create_environment - prevent :update_environment - prevent :admin_environment - prevent :destroy_environment - enable :read_environment - end - # There's two separate cases when builds_disabled is true: # 1. When internal CI is disabled - builds_disabled && internal_builds_disabled # - We do not prevent the user from accessing Pipelines to allow them to access external CI @@ -577,6 +564,18 @@ class ProjectPolicy < BasePolicy enable :read_project end + rule { can?(:create_pipeline) & can?(:maintainer_access) }.enable :create_web_ide_terminal + + rule { build_service_proxy_enabled }.enable :build_service_proxy_enabled + + rule { can?(:download_code) }.policy do + enable :read_repository_graphs + end + + rule { can?(:read_build) & can?(:read_pipeline) }.policy do + enable :read_build_report_results + end + private def team_member? diff --git a/app/policies/releases/link_policy.rb b/app/policies/releases/link_policy.rb new file mode 100644 index 00000000000..4a662fafb2f --- /dev/null +++ b/app/policies/releases/link_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +module Releases + class LinkPolicy < BasePolicy + delegate { @subject.release.project } + end +end diff --git a/app/policies/releases/source_policy.rb b/app/policies/releases/source_policy.rb new file mode 100644 index 00000000000..8b86b925589 --- /dev/null +++ b/app/policies/releases/source_policy.rb @@ -0,0 +1,13 @@ +# frozen_string_literal: true + +module Releases + class SourcePolicy < BasePolicy + delegate { @subject.project } + + rule { can?(:public_access) | can?(:reporter_access) }.policy do + enable :read_release_sources + end + + rule { ~can?(:read_release) }.prevent :read_release_sources + end +end -- cgit v1.2.3