diff options
| author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-04-20 23:50:22 +0000 |
|---|---|---|
| committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-04-20 23:50:22 +0000 |
| commit | 9dc93a4519d9d5d7be48ff274127136236a3adb3 (patch) | |
| tree | 70467ae3692a0e35e5ea56bcb803eb512a10bedb /app/policies/project_policy.rb | |
| parent | 4b0f34b6d759d6299322b3a54453e930c6121ff0 (diff) | |
| download | gitlab-ce-9dc93a4519d9d5d7be48ff274127136236a3adb3.tar.gz | |
Add latest changes from gitlab-org/gitlab@13-11-stable-eev13.11.0-rc43
Diffstat (limited to 'app/policies/project_policy.rb')
| -rw-r--r-- | app/policies/project_policy.rb | 27 |
1 files changed, 22 insertions, 5 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index de80f2f72b8..c577c8c8471 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -108,7 +108,8 @@ class ProjectPolicy < BasePolicy condition(:service_desk_enabled) { @subject.service_desk_enabled? } with_scope :subject - condition(:resource_access_token_available) { resource_access_token_available? } + condition(:resource_access_token_feature_available) { resource_access_token_feature_available? } + condition(:resource_access_token_creation_allowed) { resource_access_token_creation_allowed? } # We aren't checking `:read_issue` or `:read_merge_request` in this case # because it could be possible for a user to see an issuable-iid @@ -259,6 +260,7 @@ class ProjectPolicy < BasePolicy enable :read_confidential_issues enable :read_package enable :read_product_analytics + enable :read_group_timelogs end # We define `:public_user_access` separately because there are cases in gitlab-ee @@ -631,11 +633,18 @@ class ProjectPolicy < BasePolicy rule { project_bot }.enable :project_bot_access - rule { resource_access_token_available & can?(:admin_project) }.policy do - enable :admin_resource_access_tokens + rule { can?(:admin_project) & resource_access_token_feature_available }.policy do + enable :read_resource_access_tokens + enable :destroy_resource_access_tokens end - rule { can?(:project_bot_access) }.prevent :admin_resource_access_tokens + rule { can?(:read_resource_access_tokens) & resource_access_token_creation_allowed }.policy do + enable :create_resource_access_tokens + end + + rule { can?(:project_bot_access) }.policy do + prevent :create_resource_access_tokens + end rule { user_defined_variables_allowed | can?(:maintainer_access) }.policy do enable :set_pipeline_variables @@ -719,10 +728,18 @@ class ProjectPolicy < BasePolicy end end - def resource_access_token_available? + def resource_access_token_feature_available? true end + def resource_access_token_creation_allowed? + group = project.group + + return true unless group # always enable for projects in personal namespaces + + resource_access_token_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed? + end + def project @subject end |