diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2023-02-20 13:49:51 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2023-02-20 13:49:51 +0000 |
commit | 71786ddc8e28fbd3cb3fcc4b3ff15e5962a1c82e (patch) | |
tree | 6a2d93ef3fb2d353bb7739e4b57e6541f51cdd71 /app/policies | |
parent | a7253423e3403b8c08f8a161e5937e1488f5f407 (diff) | |
download | gitlab-ce-71786ddc8e28fbd3cb3fcc4b3ff15e5962a1c82e.tar.gz |
Add latest changes from gitlab-org/gitlab@15-9-stable-eev15.9.0-rc42
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/ci/runner_policy.rb | 6 | ||||
-rw-r--r-- | app/policies/global_policy.rb | 9 | ||||
-rw-r--r-- | app/policies/group_policy.rb | 18 | ||||
-rw-r--r-- | app/policies/issuable_policy.rb | 5 | ||||
-rw-r--r-- | app/policies/note_policy.rb | 10 | ||||
-rw-r--r-- | app/policies/packages/policies/project_policy.rb | 17 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 20 |
7 files changed, 53 insertions, 32 deletions
diff --git a/app/policies/ci/runner_policy.rb b/app/policies/ci/runner_policy.rb index 1c23b367489..7b01dccff87 100644 --- a/app/policies/ci/runner_policy.rb +++ b/app/policies/ci/runner_policy.rb @@ -9,6 +9,10 @@ module Ci @user.owns_runner?(@subject) end + condition(:creator) do + @user == @subject.creator + end + with_options scope: :subject, score: 0 condition(:is_instance_runner) do @subject.instance_type? @@ -72,6 +76,8 @@ module Ci rule { ~admin & belongs_to_multiple_projects }.prevent :delete_runner rule { ~admin & locked }.prevent :assign_runner + + rule { creator }.enable :read_ephemeral_token end end diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index fa7b117f3cd..d028738ccc9 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -22,6 +22,10 @@ class GlobalPolicy < BasePolicy condition(:project_bot, scope: :user) { @user&.project_bot? } condition(:migration_bot, scope: :user) { @user&.migration_bot? } + condition(:create_runner_workflow_enabled) do + Feature.enabled?(:create_runner_workflow) + end + rule { anonymous }.policy do prevent :log_in prevent :receive_notifications @@ -115,6 +119,11 @@ class GlobalPolicy < BasePolicy enable :approve_user enable :reject_user enable :read_usage_trends_measurement + enable :create_instance_runners + end + + rule { ~create_runner_workflow_enabled }.policy do + prevent :create_instance_runners end # We can't use `read_statistics` because the user may have different permissions for different projects diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index b2325b7acac..6cc65248914 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -76,6 +76,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy with_scope :subject condition(:resource_access_token_feature_available) { resource_access_token_feature_available? } condition(:resource_access_token_creation_allowed) { resource_access_token_creation_allowed? } + condition(:resource_access_token_create_feature_available) { resource_access_token_create_feature_available? } with_scope :subject condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? } @@ -83,6 +84,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy with_scope :subject condition(:crm_enabled, score: 0, scope: :subject) { @subject.crm_enabled? } + condition(:create_runner_workflow_enabled) do + Feature.enabled?(:create_runner_workflow) + end + condition(:group_runner_registration_allowed, scope: :subject) do Gitlab::CurrentSettings.valid_runner_registrars.include?('group') && @subject.runner_registration_enabled? end @@ -199,6 +204,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_group_runners enable :admin_group_runners enable :register_group_runners + enable :create_group_runners enable :set_note_created_at enable :set_emails_disabled @@ -277,8 +283,8 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :destroy_resource_access_tokens end - rule { can?(:admin_group) & resource_access_token_creation_allowed }.policy do - enable :admin_setting_to_allow_project_access_token_creation + rule { can?(:admin_group) & resource_access_token_create_feature_available }.policy do + enable :admin_setting_to_allow_resource_access_token_creation end rule { resource_access_token_creation_allowed & can?(:read_resource_access_tokens) }.policy do @@ -307,6 +313,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy rule { ~admin & ~group_runner_registration_allowed }.policy do prevent :register_group_runners + prevent :create_group_runners end rule { migration_bot }.policy do @@ -318,6 +325,13 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_observability end + rule { ~create_runner_workflow_enabled }.policy do + prevent :create_group_runners + end + + # Should be matched with ProjectPolicy#read_internal_note + rule { admin | reporter }.enable :read_internal_note + def access_level(for_any_session: false) return GroupMember::NO_ACCESS if @user.nil? return GroupMember::NO_ACCESS unless user_is_user? diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb index 52796ed1a1d..496708a9737 100644 --- a/app/policies/issuable_policy.rb +++ b/app/policies/issuable_policy.rb @@ -57,11 +57,6 @@ class IssuablePolicy < BasePolicy enable :read_issuable enable :read_issuable_participables end - - # This rule replicates permissions in NotePolicy#can_read_internal_note - rule { can?(:reporter_access) | admin }.policy do - enable :read_internal_note - end end IssuablePolicy.prepend_mod_with('IssuablePolicy') diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb index ccc095f37da..189609c2600 100644 --- a/app/policies/note_policy.rb +++ b/app/policies/note_policy.rb @@ -26,12 +26,6 @@ class NotePolicy < BasePolicy @subject.noteable.work_item_type.widgets.include?(::WorkItems::Widgets::Notes) end - # Should be matched with IssuablePolicy#read_internal_note - # and EpicPolicy#read_internal_note - condition(:can_read_internal_note) do - access_level >= Gitlab::Access::REPORTER || admin? - end - rule { ~notes_widget_enabled }.prevent_all rule { ~editable }.prevent :admin_note @@ -67,11 +61,11 @@ class NotePolicy < BasePolicy enable :resolve_note end - rule { can_read_internal_note }.policy do + rule { can?(:read_internal_note) }.policy do enable :mark_note_as_internal end - rule { internal & ~can_read_internal_note }.policy do + rule { internal & ~can?(:read_internal_note) }.policy do prevent :read_note prevent :admin_note prevent :resolve_note diff --git a/app/policies/packages/policies/project_policy.rb b/app/policies/packages/policies/project_policy.rb index 0fb5953f2aa..35161fd95f1 100644 --- a/app/policies/packages/policies/project_policy.rb +++ b/app/policies/packages/policies/project_policy.rb @@ -7,25 +7,10 @@ module Packages overrides(:read_package) - condition(:package_registry_access_level_feature_flag_enabled, scope: :subject) do - ::Feature.enabled?(:package_registry_access_level, @subject) - end - condition(:packages_enabled_for_everyone, scope: :subject) do @subject.package_registry_access_level == ProjectFeature::PUBLIC end - # This rule can be removed if the `package_registry_access_level` feature flag is removed. - # Reason: If the feature flag is globally enabled, this rule will never be executed. - rule { anonymous & ~project.public_project & ~package_registry_access_level_feature_flag_enabled }.prevent_all - - # This rule can be removed if the `package_registry_access_level` feature flag is removed. - # Reason: If the feature flag is globally enabled, this rule will never be executed. - rule do - ~project.public_project & ~project.internal_access & - ~project.project_allowed_for_job_token & ~package_registry_access_level_feature_flag_enabled - end.prevent_all - rule { project.packages_disabled }.policy do prevent(:read_package) end @@ -46,7 +31,7 @@ module Packages enable :read_package end - rule { package_registry_access_level_feature_flag_enabled & packages_enabled_for_everyone }.policy do + rule { packages_enabled_for_everyone }.policy do enable :read_package end end diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index b85a57f81cd..875520d24be 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -121,7 +121,7 @@ class ProjectPolicy < BasePolicy desc "If user is authenticated via CI job token then the target project should be in scope" condition(:project_allowed_for_job_token) do - !@user&.from_ci_job_token? || @user.ci_job_token_scope.allows?(project) + !@user&.from_ci_job_token? || @user.ci_job_token_scope.accessible?(project) end with_scope :subject @@ -234,6 +234,10 @@ class ProjectPolicy < BasePolicy Gitlab.config.packages.enabled end + condition(:create_runner_workflow_enabled) do + Feature.enabled?(:create_runner_workflow) + end + # `:read_project` may be prevented in EE, but `:read_project_for_iids` should # not. rule { guest | admin }.enable :read_project_for_iids @@ -272,6 +276,7 @@ class ProjectPolicy < BasePolicy enable :set_warn_about_potentially_unwanted_characters enable :register_project_runners + enable :create_project_runners enable :manage_owners end @@ -301,6 +306,8 @@ class ProjectPolicy < BasePolicy rule { can?(:reporter_access) & can?(:create_issue) }.enable :create_incident + rule { can?(:reporter_access) & can?(:read_environment) }.enable :read_freeze_period + rule { can?(:create_issue) }.enable :create_work_item rule { can?(:create_issue) }.enable :create_task @@ -344,6 +351,7 @@ class ProjectPolicy < BasePolicy enable :read_package enable :read_product_analytics enable :read_ci_cd_analytics + enable :read_external_emails enable :read_grafana end @@ -469,6 +477,7 @@ class ProjectPolicy < BasePolicy enable :update_escalation_status enable :read_secure_files enable :update_sentry_issue + enable :read_airflow_dags end rule { can?(:developer_access) & user_confirmed? }.policy do @@ -519,6 +528,7 @@ class ProjectPolicy < BasePolicy enable :destroy_freeze_period enable :admin_feature_flags_client enable :register_project_runners + enable :create_project_runners enable :update_runners_registration_token enable :admin_project_google_cloud enable :admin_secure_files @@ -823,6 +833,7 @@ class ProjectPolicy < BasePolicy rule { ~admin & ~project_runner_registration_allowed }.policy do prevent :register_project_runners + prevent :create_project_runners end rule { can?(:admin_project_member) }.policy do @@ -847,6 +858,13 @@ class ProjectPolicy < BasePolicy enable :read_code end + rule { ~create_runner_workflow_enabled }.policy do + prevent :create_project_runners + end + + # Should be matched with GroupPolicy#read_internal_note + rule { admin | can?(:reporter_access) }.enable :read_internal_note + private def user_is_user? |