From e8d2c2579383897a1dd7f9debd359abe8ae8373d Mon Sep 17 00:00:00 2001 From: GitLab Bot Date: Tue, 20 Jul 2021 09:55:51 +0000 Subject: Add latest changes from gitlab-org/gitlab@14-1-stable-ee --- app/policies/group_policy.rb | 1 + app/policies/project_policy.rb | 24 ++++++++++++++++++------ app/policies/release_policy.rb | 16 ++++++++++++++++ app/policies/releases/link_policy.rb | 2 +- 4 files changed, 36 insertions(+), 7 deletions(-) (limited to 'app/policies') diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index ba06b98e906..0b0edc7c452 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -156,6 +156,7 @@ class GroupPolicy < BasePolicy enable :set_note_created_at enable :set_emails_disabled enable :change_prevent_sharing_groups_outside_hierarchy + enable :change_new_user_signups_cap enable :update_default_branch_protection enable :create_deploy_token enable :destroy_deploy_token diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 3cb4644a60d..85547834a2e 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -51,11 +51,12 @@ class ProjectPolicy < BasePolicy desc "Container registry is disabled" condition(:container_registry_disabled, scope: :subject) do - if ::Feature.enabled?(:read_container_registry_access_level, @subject&.namespace, default_enabled: :yaml) - !access_allowed_to?(:container_registry) - else - !project.container_registry_enabled - end + !access_allowed_to?(:container_registry) + end + + desc "Container registry is enabled for everyone with access to the project" + condition(:container_registry_enabled_for_everyone_with_access, scope: :subject) do + project.container_registry_access_level == ProjectFeature::ENABLED end desc "Project has an external wiki" @@ -158,6 +159,10 @@ class ProjectPolicy < BasePolicy ::Feature.enabled?(:build_service_proxy, @subject) end + condition(:respect_protected_tag_for_release_permissions) do + ::Feature.enabled?(:evalute_protected_tag_for_release_permissions, @subject, default_enabled: :yaml) + end + condition(:user_defined_variables_allowed) do !@subject.restrict_user_defined_variables? end @@ -297,10 +302,13 @@ class ProjectPolicy < BasePolicy enable :guest_access enable :build_download_code - enable :build_read_container_image enable :request_access end + rule { container_registry_enabled_for_everyone_with_access & can?(:public_user_access) }.policy do + enable :build_read_container_image + end + rule { (can?(:public_user_access) | can?(:reporter_access)) & forking_allowed }.policy do enable :fork_project end @@ -649,6 +657,10 @@ class ProjectPolicy < BasePolicy rule { build_service_proxy_enabled }.enable :build_service_proxy_enabled + rule { respect_protected_tag_for_release_permissions & can?(:developer_access) }.policy do + enable :destroy_release + end + rule { can?(:download_code) }.policy do enable :read_repository_graphs end diff --git a/app/policies/release_policy.rb b/app/policies/release_policy.rb index d7f9e5d7445..bff80d83bef 100644 --- a/app/policies/release_policy.rb +++ b/app/policies/release_policy.rb @@ -2,4 +2,20 @@ class ReleasePolicy < BasePolicy delegate { @subject.project } + + condition(:protected_tag) do + access = ::Gitlab::UserAccess.new(@user, container: @subject.project) + + !access.can_create_tag?(@subject.tag) + end + + condition(:respect_protected_tag) do + ::Feature.enabled?(:evalute_protected_tag_for_release_permissions, @subject.project, default_enabled: :yaml) + end + + rule { respect_protected_tag & protected_tag }.policy do + prevent :create_release + prevent :update_release + prevent :destroy_release + end end diff --git a/app/policies/releases/link_policy.rb b/app/policies/releases/link_policy.rb index 4a662fafb2f..67a94733c7d 100644 --- a/app/policies/releases/link_policy.rb +++ b/app/policies/releases/link_policy.rb @@ -2,6 +2,6 @@ module Releases class LinkPolicy < BasePolicy - delegate { @subject.release.project } + delegate { @subject.release } end end -- cgit v1.2.3