From b595cb0c1dec83de5bdee18284abe86614bed33b Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 20 Jul 2022 15:40:28 +0000
Subject: Add latest changes from gitlab-org/gitlab@15-2-stable-ee

---
 app/policies/global_policy.rb                         |  2 ++
 app/policies/group_policy.rb                          |  2 ++
 .../incident_management/timeline_event_policy.rb      | 10 ++++++++++
 app/policies/issue_policy.rb                          | 12 +-----------
 app/policies/merge_request_policy.rb                  |  2 +-
 app/policies/namespaces/user_namespace_policy.rb      |  1 +
 app/policies/project_policy.rb                        | 19 +++++++++++++++----
 app/policies/work_item_policy.rb                      |  4 ++++
 8 files changed, 36 insertions(+), 16 deletions(-)

(limited to 'app/policies')

diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index fa7b117f3cd..406144b7a5c 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -120,6 +120,8 @@ class GlobalPolicy < BasePolicy
   # We can't use `read_statistics` because the user may have different permissions for different projects
   rule { admin }.enable :use_project_statistics_filters
 
+  rule { admin }.enable :delete_runners
+
   rule { external_user }.prevent :create_snippet
 end
 
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 6ca30ba5dab..50b6f4bbe15 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -154,6 +154,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   rule { reporter }.policy do
     enable :reporter_access
     enable :read_container_image
+    enable :read_harbor_registry
     enable :admin_issue_board
     enable :admin_label
     enable :admin_milestone
@@ -179,6 +180,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
     enable :read_deploy_token
     enable :create_jira_connect_subscription
     enable :maintainer_access
+    enable :maintain_namespace
   end
 
   rule { owner }.policy do
diff --git a/app/policies/incident_management/timeline_event_policy.rb b/app/policies/incident_management/timeline_event_policy.rb
index 514a2bf0a56..d8c3b283cd0 100644
--- a/app/policies/incident_management/timeline_event_policy.rb
+++ b/app/policies/incident_management/timeline_event_policy.rb
@@ -3,5 +3,15 @@
 module IncidentManagement
   class TimelineEventPolicy < ::BasePolicy
     delegate { @subject.incident }
+
+    condition(:is_editable, scope: :subject, score: 0) { @subject.editable? }
+
+    rule { ~can?(:admin_incident_management_timeline_event) }.policy do
+      prevent :edit_incident_management_timeline_event
+    end
+
+    rule { is_editable }.policy do
+      enable :edit_incident_management_timeline_event
+    end
   end
 end
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index 2b6dcc56fa0..0a0a35d41cc 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -57,13 +57,7 @@ class IssuePolicy < IssuablePolicy
     enable :update_subscription
   end
 
-  # admin can set metadata on new issues
-  rule { ~persisted & admin }.policy do
-    enable :set_issue_metadata
-  end
-
-  # support bot needs to be able to set metadata on new issues when service desk is enabled
-  rule { ~persisted & support_bot & can?(:guest_access) }.policy do
+  rule { can?(:admin_issue) }.policy do
     enable :set_issue_metadata
   end
 
@@ -72,10 +66,6 @@ class IssuePolicy < IssuablePolicy
     enable :set_issue_metadata
   end
 
-  rule { persisted & can?(:admin_issue) }.policy do
-    enable :set_issue_metadata
-  end
-
   rule { can?(:set_issue_metadata) }.policy do
     enable :set_confidentiality
   end
diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb
index 96002d98afe..bda327cb661 100644
--- a/app/policies/merge_request_policy.rb
+++ b/app/policies/merge_request_policy.rb
@@ -14,7 +14,7 @@ class MergeRequestPolicy < IssuablePolicy
     prevent :accept_merge_request
   end
 
-  rule { can?(:update_merge_request) }.policy do
+  rule { can?(:update_merge_request) & is_project_member }.policy do
     enable :approve_merge_request
   end
 
diff --git a/app/policies/namespaces/user_namespace_policy.rb b/app/policies/namespaces/user_namespace_policy.rb
index 028247497e5..26112332003 100644
--- a/app/policies/namespaces/user_namespace_policy.rb
+++ b/app/policies/namespaces/user_namespace_policy.rb
@@ -11,6 +11,7 @@ module Namespaces
       enable :owner_access
       enable :create_projects
       enable :admin_namespace
+      enable :maintain_namespace
       enable :read_namespace
       enable :read_statistics
       enable :create_jira_connect_subscription
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 2594310c498..54270dc186e 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -195,6 +195,8 @@ class ProjectPolicy < BasePolicy
   with_scope :subject
   condition(:packages_disabled) { !@subject.packages_enabled }
 
+  condition(:work_items_enabled, scope: :subject) { project&.work_items_feature_flag_enabled? }
+
   features = %w[
     merge_requests
     issues
@@ -223,6 +225,10 @@ class ProjectPolicy < BasePolicy
     Gitlab.config.registry.enabled
   end
 
+  condition :packages_enabled do
+    Gitlab.config.packages.enabled
+  end
+
   # `:read_project` may be prevented in EE, but `:read_project_for_iids` should
   # not.
   rule { guest | admin }.enable :read_project_for_iids
@@ -290,10 +296,9 @@ class ProjectPolicy < BasePolicy
 
   rule { can?(:reporter_access) & can?(:create_issue) }.enable :create_incident
 
-  rule { can?(:create_issue) }.policy do
-    enable :create_task
-    enable :create_work_item
-  end
+  rule { can?(:create_issue) }.enable :create_work_item
+
+  rule { can?(:create_issue) & work_items_enabled }.enable :create_task
 
   # These abilities are not allowed to admins that are not members of the project,
   # that's why they are defined separately.
@@ -317,6 +322,7 @@ class ProjectPolicy < BasePolicy
     enable :read_commit_status
     enable :read_build
     enable :read_container_image
+    enable :read_harbor_registry
     enable :read_deploy_board
     enable :read_pipeline
     enable :read_pipeline_schedule
@@ -490,6 +496,7 @@ class ProjectPolicy < BasePolicy
     enable :update_runners_registration_token
     enable :admin_project_google_cloud
     enable :admin_secure_files
+    enable :read_web_hooks
   end
 
   rule { public_project & metrics_dashboard_allowed }.policy do
@@ -792,6 +799,10 @@ class ProjectPolicy < BasePolicy
     enable :view_package_registry_project_settings
   end
 
+  rule { packages_enabled & can?(:admin_package) }.policy do
+    enable :view_package_registry_project_settings
+  end
+
   private
 
   def user_is_user?
diff --git a/app/policies/work_item_policy.rb b/app/policies/work_item_policy.rb
index ea7559592e1..2f3561f1135 100644
--- a/app/policies/work_item_policy.rb
+++ b/app/policies/work_item_policy.rb
@@ -13,4 +13,8 @@ class WorkItemPolicy < IssuePolicy
   # need to make sure we also prevent this rule if read_issue
   # is prevented
   rule { ~can?(:read_issue) }.prevent :read_work_item
+
+  rule { can?(:reporter_access) }.policy do
+    enable :admin_parent_link
+  end
 end
-- 
cgit v1.2.3