diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-06-16 18:25:58 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-06-16 18:25:58 +0000 |
commit | a5f4bba440d7f9ea47046a0a561d49adf0a1e6d4 (patch) | |
tree | fb69158581673816a8cd895f9d352dcb3c678b1e /app/policies/project_policy.rb | |
parent | d16b2e8639e99961de6ddc93909f3bb5c1445ba1 (diff) | |
download | gitlab-ce-a5f4bba440d7f9ea47046a0a561d49adf0a1e6d4.tar.gz |
Add latest changes from gitlab-org/gitlab@14-0-stable-eev14.0.0-rc42
Diffstat (limited to 'app/policies/project_policy.rb')
-rw-r--r-- | app/policies/project_policy.rb | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 1ce19511bef..e93c60c3710 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -51,7 +51,11 @@ class ProjectPolicy < BasePolicy desc "Container registry is disabled" condition(:container_registry_disabled, scope: :subject) do - !project.container_registry_enabled + if ::Feature.enabled?(:read_container_registry_access_level, @subject&.namespace, default_enabled: :yaml) + !access_allowed_to?(:container_registry) + else + !project.container_registry_enabled + end end desc "Project has an external wiki" @@ -75,6 +79,11 @@ class ProjectPolicy < BasePolicy user.is_a?(DeployToken) && user.has_access_to?(project) && user.write_package_registry end + desc "If user is authenticated via CI job token then the target project should be in scope" + condition(:project_allowed_for_job_token) do + !@user&.from_ci_job_token? || @user.ci_job_token_scope.includes?(project) + end + with_scope :subject condition(:forking_allowed) do @subject.feature_available?(:forking, @user) @@ -238,6 +247,7 @@ class ProjectPolicy < BasePolicy enable :admin_issue_board enable :download_code enable :read_statistics + enable :daily_statistics enable :download_wiki_code enable :create_snippet enable :update_issue @@ -263,7 +273,6 @@ class ProjectPolicy < BasePolicy enable :read_confidential_issues enable :read_package enable :read_product_analytics - enable :read_group_timelogs end # We define `:public_user_access` separately because there are cases in gitlab-ee @@ -347,7 +356,6 @@ class ProjectPolicy < BasePolicy enable :update_deployment enable :create_release enable :update_release - enable :daily_statistics enable :create_metrics_dashboard_annotation enable :delete_metrics_dashboard_annotation enable :update_metrics_dashboard_annotation @@ -411,6 +419,7 @@ class ProjectPolicy < BasePolicy enable :update_freeze_period enable :destroy_freeze_period enable :admin_feature_flags_client + enable :update_runners_registration_token end rule { public_project & metrics_dashboard_allowed }.policy do @@ -509,6 +518,8 @@ class ProjectPolicy < BasePolicy enable :read_project_for_iids end + rule { ~project_allowed_for_job_token }.prevent_all + rule { can?(:public_access) }.policy do enable :read_package enable :read_project |