From b76ae638462ab0f673e5915986070518dd3f9ad3 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Thu, 19 Aug 2021 09:08:42 +0000
Subject: Add latest changes from gitlab-org/gitlab@14-2-stable-ee

---
 app/policies/group_policy.rb                       | 22 ++++++++++++++++++----
 app/policies/issue_policy.rb                       |  7 +++++++
 app/policies/packages/dependency_link_policy.rb    |  6 ++++++
 .../nuget/dependency_link_metadatum_policy.rb      |  8 ++++++++
 app/policies/project_policy.rb                     | 13 +++----------
 app/policies/release_policy.rb                     |  6 +-----
 6 files changed, 43 insertions(+), 19 deletions(-)
 create mode 100644 app/policies/packages/dependency_link_policy.rb
 create mode 100644 app/policies/packages/nuget/dependency_link_metadatum_policy.rb

(limited to 'app/policies')

diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 0b0edc7c452..1d0aa54c1c0 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -50,6 +50,14 @@ class GroupPolicy < BasePolicy
     @subject.dependency_proxy_feature_available?
   end
 
+  condition(:dependency_proxy_access_allowed) do
+    if Feature.enabled?(:dependency_proxy_for_private_groups, default_enabled: true)
+      access_level(for_any_session: true) >= GroupMember::GUEST || valid_dependency_proxy_deploy_token
+    else
+      can?(:read_group)
+    end
+  end
+
   desc "Deploy token with read_package_registry scope"
   condition(:read_package_registry_deploy_token) do
     @user.is_a?(DeployToken) && @user.groups.include?(@subject) && @user.read_package_registry
@@ -117,6 +125,7 @@ class GroupPolicy < BasePolicy
     enable :delete_metrics_dashboard_annotation
     enable :update_metrics_dashboard_annotation
     enable :create_custom_emoji
+    enable :create_package
     enable :create_package_settings
   end
 
@@ -134,6 +143,7 @@ class GroupPolicy < BasePolicy
   end
 
   rule { maintainer }.policy do
+    enable :destroy_package
     enable :create_projects
     enable :admin_pipeline
     enable :admin_build
@@ -210,7 +220,7 @@ class GroupPolicy < BasePolicy
     enable :read_group
   end
 
-  rule { can?(:read_group) & dependency_proxy_available }
+  rule { dependency_proxy_access_allowed & dependency_proxy_available }
     .enable :read_dependency_proxy
 
   rule { developer & dependency_proxy_available }
@@ -230,14 +240,14 @@ class GroupPolicy < BasePolicy
     enable :read_label
   end
 
-  def access_level
+  def access_level(for_any_session: false)
     return GroupMember::NO_ACCESS if @user.nil?
     return GroupMember::NO_ACCESS unless user_is_user?
 
-    @access_level ||= lookup_access_level!
+    @access_level ||= lookup_access_level!(for_any_session: for_any_session)
   end
 
-  def lookup_access_level!
+  def lookup_access_level!(for_any_session: false)
     @subject.max_member_access_for_user(@user)
   end
 
@@ -258,6 +268,10 @@ class GroupPolicy < BasePolicy
   def resource_access_token_creation_allowed?
     resource_access_token_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed?
   end
+
+  def valid_dependency_proxy_deploy_token
+    @user.is_a?(DeployToken) && @user&.valid_for_dependency_proxy? && @user&.has_access_to_group?(@subject)
+  end
 end
 
 GroupPolicy.prepend_mod_with('GroupPolicy')
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index 053243e2296..74bed6b6c4e 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -15,6 +15,9 @@ class IssuePolicy < IssuablePolicy
   desc "Issue is confidential"
   condition(:confidential, scope: :subject) { @subject.confidential? }
 
+  desc "Issue is hidden"
+  condition(:hidden, scope: :subject) { @subject.hidden? }
+
   desc "Issue is persisted"
   condition(:persisted, scope: :subject) { @subject.persisted? }
 
@@ -23,6 +26,10 @@ class IssuePolicy < IssuablePolicy
     prevent :read_issue_iid
   end
 
+  rule { hidden & ~admin }.policy do
+    prevent :read_issue
+  end
+
   rule { ~can?(:read_issue) }.prevent :create_note
 
   rule { locked }.policy do
diff --git a/app/policies/packages/dependency_link_policy.rb b/app/policies/packages/dependency_link_policy.rb
new file mode 100644
index 00000000000..c4425108062
--- /dev/null
+++ b/app/policies/packages/dependency_link_policy.rb
@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+module Packages
+  class DependencyLinkPolicy < BasePolicy
+    delegate { @subject.package }
+  end
+end
diff --git a/app/policies/packages/nuget/dependency_link_metadatum_policy.rb b/app/policies/packages/nuget/dependency_link_metadatum_policy.rb
new file mode 100644
index 00000000000..18bcc1f6585
--- /dev/null
+++ b/app/policies/packages/nuget/dependency_link_metadatum_policy.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+module Packages
+  module Nuget
+    class DependencyLinkMetadatumPolicy < BasePolicy
+      delegate { @subject.dependency_link.package }
+    end
+  end
+end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 6f5bbf8c021..54b11ea6041 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -159,10 +159,6 @@ class ProjectPolicy < BasePolicy
     ::Feature.enabled?(:build_service_proxy, @subject)
   end
 
-  condition(:respect_protected_tag_for_release_permissions) do
-    ::Feature.enabled?(:evalute_protected_tag_for_release_permissions, @subject, default_enabled: :yaml)
-  end
-
   condition(:user_defined_variables_allowed) do
     !@subject.restrict_user_defined_variables?
   end
@@ -341,7 +337,7 @@ class ProjectPolicy < BasePolicy
     enable :read_metrics_user_starred_dashboard
   end
 
-  rule { packages_disabled | repository_disabled }.policy do
+  rule { packages_disabled }.policy do
     prevent(*create_read_update_admin_destroy(:package))
   end
 
@@ -375,6 +371,7 @@ class ProjectPolicy < BasePolicy
     enable :update_deployment
     enable :create_release
     enable :update_release
+    enable :destroy_release
     enable :create_metrics_dashboard_annotation
     enable :delete_metrics_dashboard_annotation
     enable :update_metrics_dashboard_annotation
@@ -538,7 +535,7 @@ class ProjectPolicy < BasePolicy
     enable :read_project_for_iids
   end
 
-  rule { ~project_allowed_for_job_token }.prevent_all
+  rule { ~public_project & ~internal_access & ~project_allowed_for_job_token }.prevent_all
 
   rule { can?(:public_access) }.policy do
     enable :read_package
@@ -660,10 +657,6 @@ class ProjectPolicy < BasePolicy
 
   rule { build_service_proxy_enabled }.enable :build_service_proxy_enabled
 
-  rule { respect_protected_tag_for_release_permissions & can?(:developer_access) }.policy do
-    enable :destroy_release
-  end
-
   rule { can?(:download_code) }.policy do
     enable :read_repository_graphs
   end
diff --git a/app/policies/release_policy.rb b/app/policies/release_policy.rb
index bff80d83bef..077e4764b34 100644
--- a/app/policies/release_policy.rb
+++ b/app/policies/release_policy.rb
@@ -9,11 +9,7 @@ class ReleasePolicy < BasePolicy
     !access.can_create_tag?(@subject.tag)
   end
 
-  condition(:respect_protected_tag) do
-    ::Feature.enabled?(:evalute_protected_tag_for_release_permissions, @subject.project, default_enabled: :yaml)
-  end
-
-  rule { respect_protected_tag & protected_tag }.policy do
+  rule { protected_tag }.policy do
     prevent :create_release
     prevent :update_release
     prevent :destroy_release
-- 
cgit v1.2.3