1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
|
# frozen_string_literal: true
class GlobalPolicy < BasePolicy
desc "User is an internal user"
with_options scope: :user, score: 0
condition(:internal) { @user&.internal? }
desc "User's access has been locked"
with_options scope: :user, score: 0
condition(:access_locked) { @user&.access_locked? }
condition(:can_create_fork, scope: :user) { @user && @user.forkable_namespaces.any? { |namespace| @user.can?(:create_projects, namespace) } }
condition(:required_terms_not_accepted, scope: :user, score: 0) do
@user&.required_terms_not_accepted?
end
condition(:password_expired, scope: :user) do
@user&.password_expired_if_applicable?
end
condition(:project_bot, scope: :user) { @user&.project_bot? }
condition(:migration_bot, scope: :user) { @user&.migration_bot? }
condition(:create_runner_workflow_enabled, scope: :user) do
Feature.enabled?(:create_runner_workflow_for_admin, @user)
end
condition(:service_account, scope: :user) { @user&.service_account? }
rule { anonymous }.policy do
prevent :log_in
prevent :receive_notifications
prevent :use_quick_actions
prevent :create_group
prevent :execute_graphql_mutation
end
rule { default }.policy do
enable :log_in
enable :access_api
enable :access_git
enable :receive_notifications
enable :use_quick_actions
enable :use_slash_commands
enable :execute_graphql_mutation
end
rule { inactive }.policy do
prevent :log_in
prevent :access_api
prevent :access_git
prevent :use_slash_commands
end
rule { blocked | internal }.policy do
prevent :log_in
prevent :access_api
prevent :receive_notifications
prevent :use_slash_commands
end
rule { ~can?(:access_api) }.prevent :execute_graphql_mutation
rule { blocked | (internal & ~migration_bot & ~security_bot & ~security_policy_bot) }.policy do
prevent :access_git
end
rule { security_policy_bot }.policy do
enable :access_git
end
rule { project_bot | service_account }.policy do
prevent :log_in
prevent :receive_notifications
end
rule { deactivated }.policy do
prevent :access_git
prevent :access_api
prevent :receive_notifications
prevent :use_slash_commands
end
rule { required_terms_not_accepted }.policy do
prevent :access_api
prevent :access_git
end
rule { password_expired }.policy do
prevent :access_api
prevent :access_git
prevent :use_slash_commands
end
rule { can_create_group }.policy do
enable :create_group
end
rule { can?(:create_group) }.policy do
enable :create_group_with_default_branch_protection
end
rule { can_create_fork }.policy do
enable :create_fork
end
rule { access_locked }.policy do
prevent :log_in
prevent :use_slash_commands
end
rule { ~(anonymous & restricted_public_level) }.policy do
enable :read_users_list
end
rule { ~anonymous }.policy do
enable :read_instance_metadata
enable :create_snippet
end
rule { admin }.policy do
enable :read_custom_attribute
enable :update_custom_attribute
enable :approve_user
enable :reject_user
enable :read_usage_trends_measurement
enable :create_instance_runner
end
rule { ~create_runner_workflow_enabled }.policy do
prevent :create_instance_runner
end
# We can't use `read_statistics` because the user may have different permissions for different projects
rule { admin }.enable :use_project_statistics_filters
rule { external_user }.prevent :create_snippet
end
GlobalPolicy.prepend_mod_with('GlobalPolicy')
|
