diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-02-18 10:34:06 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-02-18 10:34:06 +0000 |
commit | 859a6fb938bb9ee2a317c46dfa4fcc1af49608f0 (patch) | |
tree | d7f2700abe6b4ffcb2dcfc80631b2d87d0609239 /app/policies/project_policy.rb | |
parent | 446d496a6d000c73a304be52587cd9bbc7493136 (diff) | |
download | gitlab-ce-859a6fb938bb9ee2a317c46dfa4fcc1af49608f0.tar.gz |
Add latest changes from gitlab-org/gitlab@13-9-stable-eev13.9.0-rc42
Diffstat (limited to 'app/policies/project_policy.rb')
-rw-r--r-- | app/policies/project_policy.rb | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 6135523a2f8..aaf985d6c63 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -30,6 +30,9 @@ class ProjectPolicy < BasePolicy desc "User has maintainer access" condition(:maintainer) { team_access_level >= Gitlab::Access::MAINTAINER } + desc "User is a project bot" + condition(:project_bot) { user.project_bot? && team_member? } + desc "Project is public" condition(:public_project, scope: :subject, score: 0) { project.public? } @@ -79,7 +82,7 @@ class ProjectPolicy < BasePolicy with_scope :subject condition(:metrics_dashboard_allowed) do - feature_available?(:metrics_dashboard) + access_allowed_to?(:metrics_dashboard) end with_scope :global @@ -158,7 +161,7 @@ class ProjectPolicy < BasePolicy features.each do |f| # these are scored high because they are unlikely desc "Project has #{f} disabled" - condition(:"#{f}_disabled", score: 32) { !feature_available?(f.to_sym) } + condition(:"#{f}_disabled", score: 32) { !access_allowed_to?(f.to_sym) } end # `:read_project` may be prevented in EE, but `:read_project_for_iids` should @@ -583,6 +586,10 @@ class ProjectPolicy < BasePolicy enable :read_issue_link end + rule { can?(:developer_access) }.policy do + enable :read_security_configuration + end + # Design abilities could also be prevented in the issue policy. rule { design_management_disabled }.policy do prevent :read_design @@ -621,10 +628,14 @@ class ProjectPolicy < BasePolicy prevent :read_project end + rule { project_bot }.enable :project_bot_access + rule { resource_access_token_available & can?(:admin_project) }.policy do enable :admin_resource_access_tokens end + rule { can?(:project_bot_access) }.prevent :admin_resource_access_tokens + rule { user_defined_variables_allowed | can?(:maintainer_access) }.policy do enable :set_pipeline_variables end @@ -690,7 +701,7 @@ class ProjectPolicy < BasePolicy project.team.max_member_access(@user.id) end - def feature_available?(feature) + def access_allowed_to?(feature) return false unless project.project_feature case project.project_feature.access_level(feature) |