From d9ab72d6080f594d0b3cae15f14b3ef2c6c638cb Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Wed, 20 Oct 2021 08:43:02 +0000 Subject: Add latest changes from gitlab-org/gitlab@14-4-stable-ee --- app/policies/ci/resource_group_policy.rb | 7 ++++++ app/policies/clusters/agent_policy.rb | 9 +++++++ app/policies/clusters/agent_token_policy.rb | 9 +++++++ app/policies/group_policy.rb | 5 ++-- app/policies/list_policy.rb | 5 ++++ app/policies/namespace_policy.rb | 29 +++++----------------- .../namespaces/project_namespace_policy.rb | 9 +++++++ app/policies/namespaces/user_namespace_policy.rb | 28 +++++++++++++++++++++ app/policies/project_policy.rb | 3 +++ 9 files changed, 79 insertions(+), 25 deletions(-) create mode 100644 app/policies/ci/resource_group_policy.rb create mode 100644 app/policies/clusters/agent_policy.rb create mode 100644 app/policies/clusters/agent_token_policy.rb create mode 100644 app/policies/list_policy.rb create mode 100644 app/policies/namespaces/project_namespace_policy.rb create mode 100644 app/policies/namespaces/user_namespace_policy.rb (limited to 'app/policies') diff --git a/app/policies/ci/resource_group_policy.rb b/app/policies/ci/resource_group_policy.rb new file mode 100644 index 00000000000..ef384265b11 --- /dev/null +++ b/app/policies/ci/resource_group_policy.rb @@ -0,0 +1,7 @@ +# frozen_string_literal: true + +module Ci + class ResourceGroupPolicy < BasePolicy + delegate { @subject.project } + end +end diff --git a/app/policies/clusters/agent_policy.rb b/app/policies/clusters/agent_policy.rb new file mode 100644 index 00000000000..25e78c84802 --- /dev/null +++ b/app/policies/clusters/agent_policy.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +module Clusters + class AgentPolicy < BasePolicy + alias_method :cluster_agent, :subject + + delegate { cluster_agent.project } + end +end diff --git a/app/policies/clusters/agent_token_policy.rb b/app/policies/clusters/agent_token_policy.rb new file mode 100644 index 00000000000..e876ecfac26 --- /dev/null +++ b/app/policies/clusters/agent_token_policy.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +module Clusters + class AgentTokenPolicy < BasePolicy + alias_method :token, :subject + + delegate { token.agent } + end +end diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 7abffd2c352..64395f69c42 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -134,6 +134,8 @@ class GroupPolicy < BasePolicy enable :create_package enable :create_package_settings enable :developer_access + enable :admin_organization + enable :admin_contact end rule { reporter }.policy do @@ -147,7 +149,6 @@ class GroupPolicy < BasePolicy enable :read_prometheus enable :read_package enable :read_package_settings - enable :admin_organization end rule { maintainer }.policy do @@ -162,7 +163,6 @@ class GroupPolicy < BasePolicy enable :admin_cluster enable :read_deploy_token enable :create_jira_connect_subscription - enable :update_runners_registration_token enable :maintainer_access end @@ -179,6 +179,7 @@ class GroupPolicy < BasePolicy enable :update_default_branch_protection enable :create_deploy_token enable :destroy_deploy_token + enable :update_runners_registration_token enable :owner_access end diff --git a/app/policies/list_policy.rb b/app/policies/list_policy.rb new file mode 100644 index 00000000000..97845746546 --- /dev/null +++ b/app/policies/list_policy.rb @@ -0,0 +1,5 @@ +# frozen_string_literal: true + +class ListPolicy < BasePolicy # rubocop:disable Gitlab/NamespacedClass + delegate { @subject.board.resource_parent } +end diff --git a/app/policies/namespace_policy.rb b/app/policies/namespace_policy.rb index dcbeda9f5d3..0cf1bcb9737 100644 --- a/app/policies/namespace_policy.rb +++ b/app/policies/namespace_policy.rb @@ -1,26 +1,9 @@ # frozen_string_literal: true -class NamespacePolicy < BasePolicy - rule { anonymous }.prevent_all - - condition(:personal_project, scope: :subject) { @subject.kind == 'user' } - condition(:can_create_personal_project, scope: :user) { @user.can_create_project? } - condition(:owner) { @subject.owner == @user } - - rule { owner | admin }.policy do - enable :owner_access - enable :create_projects - enable :admin_namespace - enable :read_namespace - enable :read_statistics - enable :create_jira_connect_subscription - enable :create_package_settings - enable :read_package_settings - end - - rule { personal_project & ~can_create_personal_project }.prevent :create_projects - - rule { (owner | admin) & can?(:create_projects) }.enable :transfer_projects +class NamespacePolicy < ::Namespaces::UserNamespacePolicy + # NamespacePolicy has been traditionally for user namespaces. + # So these policies have been moved into Namespaces::UserNamespacePolicy. + # Once the user namespace conversion is complete, we can look at + # either removing this file or locating common namespace policy items + # here. end - -NamespacePolicy.prepend_mod_with('NamespacePolicy') diff --git a/app/policies/namespaces/project_namespace_policy.rb b/app/policies/namespaces/project_namespace_policy.rb new file mode 100644 index 00000000000..bc08a7a45ed --- /dev/null +++ b/app/policies/namespaces/project_namespace_policy.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +module Namespaces + class ProjectNamespacePolicy < BasePolicy + # For now users are not granted any permissions on project namespace + # as it's completely hidden to them. When we start using project + # namespaces in queries, we will have to extend this policy. + end +end diff --git a/app/policies/namespaces/user_namespace_policy.rb b/app/policies/namespaces/user_namespace_policy.rb new file mode 100644 index 00000000000..f8b285e5312 --- /dev/null +++ b/app/policies/namespaces/user_namespace_policy.rb @@ -0,0 +1,28 @@ +# frozen_string_literal: true + +module Namespaces + class UserNamespacePolicy < BasePolicy + rule { anonymous }.prevent_all + + condition(:personal_project, scope: :subject) { @subject.kind == 'user' } + condition(:can_create_personal_project, scope: :user) { @user.can_create_project? } + condition(:owner) { @subject.owner == @user } + + rule { owner | admin }.policy do + enable :owner_access + enable :create_projects + enable :admin_namespace + enable :read_namespace + enable :read_statistics + enable :create_jira_connect_subscription + enable :create_package_settings + enable :read_package_settings + end + + rule { personal_project & ~can_create_personal_project }.prevent :create_projects + + rule { (owner | admin) & can?(:create_projects) }.enable :transfer_projects + end +end + +Namespaces::UserNamespacePolicy.prepend_mod_with('Namespaces::UserNamespacePolicy') diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 54b11ea6041..59aa47beff9 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -357,6 +357,8 @@ class ProjectPolicy < BasePolicy enable :update_commit_status enable :create_build enable :update_build + enable :read_resource_group + enable :update_resource_group enable :create_merge_request_from enable :create_wiki enable :push_code @@ -436,6 +438,7 @@ class ProjectPolicy < BasePolicy enable :destroy_freeze_period enable :admin_feature_flags_client enable :update_runners_registration_token + enable :manage_project_google_cloud end rule { public_project & metrics_dashboard_allowed }.policy do -- cgit v1.2.3