diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-01-20 09:16:11 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-01-20 09:16:11 +0000 |
commit | edaa33dee2ff2f7ea3fac488d41558eb5f86d68c (patch) | |
tree | 11f143effbfeba52329fb7afbd05e6e2a3790241 /app/policies/group_policy.rb | |
parent | d8a5691316400a0f7ec4f83832698f1988eb27c1 (diff) | |
download | gitlab-ce-edaa33dee2ff2f7ea3fac488d41558eb5f86d68c.tar.gz |
Add latest changes from gitlab-org/gitlab@14-7-stable-eev14.7.0-rc42
Diffstat (limited to 'app/policies/group_policy.rb')
-rw-r--r-- | app/policies/group_policy.rb | 24 |
1 files changed, 16 insertions, 8 deletions
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index 5c4990ffd9b..fee47fe0ae9 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -23,6 +23,9 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? } condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) } + desc "User is a project bot" + condition(:project_bot) { user.project_bot? && access_level >= GroupMember::GUEST } + condition(:has_projects) do group_projects_for(user: @user, group: @subject).any? end @@ -75,7 +78,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy with_scope :subject condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? } - condition(:crm_enabled, score: 0, scope: :subject) { Feature.enabled?(:customer_relations, @subject) } + condition(:crm_enabled, score: 0, scope: :subject) { Feature.enabled?(:customer_relations, @subject) && @subject.crm_enabled? } with_scope :subject condition(:group_runner_registration_allowed, score: 0, scope: :subject) do @@ -120,8 +123,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_group_member enable :read_custom_emoji enable :read_counts - enable :read_crm_organization - enable :read_crm_contact end rule { ~public_group & ~has_access }.prevent :read_counts @@ -156,13 +157,14 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_prometheus enable :read_package enable :read_package_settings + enable :read_crm_organization + enable :read_crm_contact end rule { maintainer }.policy do enable :destroy_package enable :create_projects enable :admin_pipeline - enable :admin_group_runners enable :admin_build enable :read_cluster enable :add_cluster @@ -180,6 +182,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :admin_group_member enable :change_visibility_level + enable :read_group_runners + enable :admin_group_runners + enable :register_group_runners + enable :set_note_created_at enable :set_emails_disabled enable :change_prevent_sharing_groups_outside_hierarchy @@ -205,10 +211,6 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_nested_project_resources end - rule { can?(:admin_group_runners) }.policy do - enable :register_group_runners - end - rule { owner }.enable :create_subgroup rule { maintainer & maintainer_can_create_group }.enable :create_subgroup @@ -250,6 +252,8 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :admin_dependency_proxy end + rule { project_bot }.enable :project_bot_access + rule { can?(:admin_group) & resource_access_token_feature_available }.policy do enable :read_resource_access_tokens enable :destroy_resource_access_tokens @@ -260,6 +264,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :create_resource_access_tokens end + rule { can?(:project_bot_access) }.policy do + prevent :create_resource_access_tokens + end + rule { support_bot & has_project_with_service_desk_enabled }.policy do enable :read_label end |