Add latest changes from gitlab-org/gitlab@13-12-stable-eev13.12.0-rc42

2 files changed, 13 insertions, 3 deletions

diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index 65f2a70672b..6162a31c118 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -21,7 +21,7 @@ module Ci
     end
 
     # overridden in EE
-    condition(:protected_environment_access) do
+    condition(:protected_environment) do
       false
     end
 
@@ -68,7 +68,10 @@ module Ci
     rule { project_read_build }.enable :read_build_trace
     rule { debug_mode & ~project_update_build }.prevent :read_build_trace
 
-    rule { ~protected_environment_access & (protected_ref | archived) }.policy do
+    # Authorizing the user to access to protected entities.
+    # There is a "jailbreak" mode to exceptionally bypass the authorization,
+    # however, you should NEVER allow it, rather suspect it's a wrong feature/product design.
+    rule { ~can?(:jailbreak) & (archived | protected_ref | protected_environment) }.policy do
       prevent :update_build
       prevent :update_commit_status
       prevent :erase_build
@@ -108,4 +111,4 @@ module Ci
   end
 end
 
-Ci::BuildPolicy.prepend_if_ee('EE::Ci::BuildPolicy')
+Ci::BuildPolicy.prepend_mod_with('Ci::BuildPolicy')
diff --git a/app/policies/ci/stage_policy.rb b/app/policies/ci/stage_policy.rb
new file mode 100644
index 00000000000..1e774df9f58
--- /dev/null
+++ b/app/policies/ci/stage_policy.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Ci
+  class StagePolicy < BasePolicy
+    delegate :pipeline
+  end
+end