From b77fb04678a4e76d025048e9846adc2ac709414a Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Mon, 13 Apr 2020 15:09:20 +0000
Subject: Add latest changes from gitlab-org/gitlab@master

---
 app/policies/concerns/crud_policy_helpers.rb | 23 +++++++++++++++++++
 app/policies/group_policy.rb                 | 34 +++++++++++++++++++++++++++-
 app/policies/issue_policy.rb                 |  2 +-
 app/policies/project_policy.rb               |  2 +-
 app/policies/project_policy/class_methods.rb | 21 -----------------
 5 files changed, 58 insertions(+), 24 deletions(-)
 create mode 100644 app/policies/concerns/crud_policy_helpers.rb
 delete mode 100644 app/policies/project_policy/class_methods.rb

(limited to 'app/policies')

diff --git a/app/policies/concerns/crud_policy_helpers.rb b/app/policies/concerns/crud_policy_helpers.rb
new file mode 100644
index 00000000000..d8521ca22cc
--- /dev/null
+++ b/app/policies/concerns/crud_policy_helpers.rb
@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module CrudPolicyHelpers
+  extend ActiveSupport::Concern
+
+  class_methods do
+    def create_read_update_admin_destroy(name)
+      [
+        :"read_#{name}",
+        *create_update_admin_destroy(name)
+      ]
+    end
+
+    def create_update_admin_destroy(name)
+      [
+        :"create_#{name}",
+        :"update_#{name}",
+        :"admin_#{name}",
+        :"destroy_#{name}"
+      ]
+    end
+  end
+end
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 5e252c8e564..a34217d90dd 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 class GroupPolicy < BasePolicy
+  include CrudPolicyHelpers
   include FindGroupProjects
 
   desc "Group is public"
@@ -42,15 +43,23 @@ class GroupPolicy < BasePolicy
     @subject.subgroup_creation_level == ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS
   end
 
+  desc "Group has wiki disabled"
+  condition(:wiki_disabled, score: 32) { !feature_available?(:wiki) }
+
   rule { public_group }.policy do
     enable :read_group
     enable :read_package
+    enable :read_wiki
   end
 
-  rule { logged_in_viewable }.enable :read_group
+  rule { logged_in_viewable }.policy do
+    enable :read_group
+    enable :read_wiki
+  end
 
   rule { guest }.policy do
     enable :read_group
+    enable :read_wiki
     enable :upload_file
   end
 
@@ -78,10 +87,12 @@ class GroupPolicy < BasePolicy
     enable :create_metrics_dashboard_annotation
     enable :delete_metrics_dashboard_annotation
     enable :update_metrics_dashboard_annotation
+    enable :create_wiki
   end
 
   rule { reporter }.policy do
     enable :read_container_image
+    enable :download_wiki_code
     enable :admin_label
     enable :admin_list
     enable :admin_issue
@@ -100,6 +111,7 @@ class GroupPolicy < BasePolicy
     enable :destroy_deploy_token
     enable :read_deploy_token
     enable :create_deploy_token
+    enable :admin_wiki
   end
 
   rule { owner }.policy do
@@ -145,6 +157,11 @@ class GroupPolicy < BasePolicy
 
   rule { maintainer & can?(:create_projects) }.enable :transfer_projects
 
+  rule { wiki_disabled }.policy do
+    prevent(*create_read_update_admin_destroy(:wiki))
+    prevent(:download_wiki_code)
+  end
+
   def access_level
     return GroupMember::NO_ACCESS if @user.nil?
 
@@ -154,6 +171,21 @@ class GroupPolicy < BasePolicy
   def lookup_access_level!
     @subject.max_member_access_for_user(@user)
   end
+
+  # TODO: Extract this into a helper shared with ProjectPolicy, once we implement group-level features.
+  # https://gitlab.com/gitlab-org/gitlab/-/issues/208412
+  def feature_available?(feature)
+    return false unless feature == :wiki
+
+    case @subject.wiki_access_level
+    when ProjectFeature::DISABLED
+      false
+    when ProjectFeature::PRIVATE
+      admin? || access_level >= ProjectFeature.required_minimum_access_level(feature)
+    else
+      true
+    end
+  end
 end
 
 GroupPolicy.prepend_if_ee('EE::GroupPolicy')
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index f86892227df..20df823c737 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -5,7 +5,7 @@ class IssuePolicy < IssuablePolicy
   # Make sure to sync this class checks with issue.rb to avoid security problems.
   # Check commit 002ad215818450d2cbbc5fa065850a953dc7ada8 for more information.
 
-  extend ProjectPolicy::ClassMethods
+  include CrudPolicyHelpers
 
   desc "User can read confidential issues"
   condition(:can_read_confidential) do
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 0f5e4ac378e..7454343a357 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 class ProjectPolicy < BasePolicy
-  extend ClassMethods
+  include CrudPolicyHelpers
 
   READONLY_FEATURES_WHEN_ARCHIVED = %i[
     issue
diff --git a/app/policies/project_policy/class_methods.rb b/app/policies/project_policy/class_methods.rb
deleted file mode 100644
index 42d993406a9..00000000000
--- a/app/policies/project_policy/class_methods.rb
+++ /dev/null
@@ -1,21 +0,0 @@
-# frozen_string_literal: true
-
-class ProjectPolicy
-  module ClassMethods
-    def create_read_update_admin_destroy(name)
-      [
-        :"read_#{name}",
-        *create_update_admin_destroy(name)
-      ]
-    end
-
-    def create_update_admin_destroy(name)
-      [
-        :"create_#{name}",
-        :"update_#{name}",
-        :"admin_#{name}",
-        :"destroy_#{name}"
-      ]
-    end
-  end
-end
-- 
cgit v1.2.3