Add latest changes from gitlab-org/gitlab@14-0-stable-eev14.0.0-rc42

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-06-16 18:25:58 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-06-16 18:25:58 +0000
commit: a5f4bba440d7f9ea47046a0a561d49adf0a1e6d4 (patch)
tree: fb69158581673816a8cd895f9d352dcb3c678b1e /app/policies
parent: d16b2e8639e99961de6ddc93909f3bb5c1445ba1 (diff)
download: gitlab-ce-a5f4bba440d7f9ea47046a0a561d49adf0a1e6d4.tar.gz
8 files changed, 47 insertions, 5 deletions
diff --git a/app/policies/concerns/policy_actor.rb b/app/policies/concerns/policy_actor.rb
index 08a26da6673..cbc34bdeed3 100644
--- a/app/policies/concerns/policy_actor.rb
+++ b/app/policies/concerns/policy_actor.rb
@@ -84,6 +84,10 @@ module PolicyActor
   def password_expired?
     false
   end
+
+  def from_ci_job_token?
+    false
+  end
 end
 
 PolicyActor.prepend_mod_with('PolicyActor')
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index 73757891cd6..35d38bac7fa 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -115,6 +115,7 @@ class GlobalPolicy < BasePolicy
     enable :approve_user
     enable :reject_user
     enable :read_usage_trends_measurement
+    enable :update_runners_registration_token
   end
 
   # We can't use `read_statistics` because the user may have different permissions for different projects
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 821fabec266..ba06b98e906 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -131,7 +131,6 @@ class GroupPolicy < BasePolicy
     enable :read_prometheus
     enable :read_package
     enable :read_package_settings
-    enable :read_group_timelogs
   end
 
   rule { maintainer }.policy do
@@ -145,6 +144,7 @@ class GroupPolicy < BasePolicy
     enable :admin_cluster
     enable :read_deploy_token
     enable :create_jira_connect_subscription
+    enable :update_runners_registration_token
   end
 
   rule { owner }.policy do
@@ -155,6 +155,7 @@ class GroupPolicy < BasePolicy
 
     enable :set_note_created_at
     enable :set_emails_disabled
+    enable :change_prevent_sharing_groups_outside_hierarchy
     enable :update_default_branch_protection
     enable :create_deploy_token
     enable :destroy_deploy_token
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index 6eec03d6d75..e58179e320d 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -15,6 +15,9 @@ class IssuePolicy < IssuablePolicy
   desc "Issue is confidential"
   condition(:confidential, scope: :subject) { @subject.confidential? }
 
+  desc "Issue is persisted"
+  condition(:persisted, scope: :subject) { @subject.persisted? }
+
   rule { confidential & ~can_read_confidential }.policy do
     prevent(*create_read_update_admin_destroy(:issue))
     prevent :read_issue_iid
@@ -38,6 +41,15 @@ class IssuePolicy < IssuablePolicy
 
   rule { ~anonymous & can?(:read_issue) }.policy do
     enable :create_todo
+    enable :update_subscription
+  end
+
+  rule { ~persisted & can?(:guest_access) }.policy do
+    enable :set_issue_metadata
+  end
+
+  rule { persisted & can?(:admin_issue) }.policy do
+    enable :set_issue_metadata
   end
 end
 
diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb
index e53a916f3ca..96002d98afe 100644
--- a/app/policies/merge_request_policy.rb
+++ b/app/policies/merge_request_policy.rb
@@ -20,6 +20,7 @@ class MergeRequestPolicy < IssuablePolicy
 
   rule { ~anonymous & can?(:read_merge_request) }.policy do
     enable :create_todo
+    enable :update_subscription
   end
 
   condition(:can_merge) { @subject.can_be_merged_by?(@user) }
@@ -27,6 +28,10 @@ class MergeRequestPolicy < IssuablePolicy
   rule { can_merge }.policy do
     enable :accept_merge_request
   end
+
+  rule { can?(:admin_merge_request) }.policy do
+    enable :set_merge_request_metadata
+  end
 end
 
 MergeRequestPolicy.prepend_mod_with('MergeRequestPolicy')
diff --git a/app/policies/packages/pypi/metadatum_policy.rb b/app/policies/packages/pypi/metadatum_policy.rb
new file mode 100644
index 00000000000..5cdcb613f61
--- /dev/null
+++ b/app/policies/packages/pypi/metadatum_policy.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+module Packages
+  module Pypi
+    class MetadatumPolicy < BasePolicy
+      delegate { @subject.package }
+    end
+  end
+end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 1ce19511bef..e93c60c3710 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -51,7 +51,11 @@ class ProjectPolicy < BasePolicy
 
   desc "Container registry is disabled"
   condition(:container_registry_disabled, scope: :subject) do
-    !project.container_registry_enabled
+    if ::Feature.enabled?(:read_container_registry_access_level, @subject&.namespace, default_enabled: :yaml)
+      !access_allowed_to?(:container_registry)
+    else
+      !project.container_registry_enabled
+    end
   end
 
   desc "Project has an external wiki"
@@ -75,6 +79,11 @@ class ProjectPolicy < BasePolicy
     user.is_a?(DeployToken) && user.has_access_to?(project) && user.write_package_registry
   end
 
+  desc "If user is authenticated via CI job token then the target project should be in scope"
+  condition(:project_allowed_for_job_token) do
+    !@user&.from_ci_job_token? || @user.ci_job_token_scope.includes?(project)
+  end
+
   with_scope :subject
   condition(:forking_allowed) do
     @subject.feature_available?(:forking, @user)
@@ -238,6 +247,7 @@ class ProjectPolicy < BasePolicy
     enable :admin_issue_board
     enable :download_code
     enable :read_statistics
+    enable :daily_statistics
     enable :download_wiki_code
     enable :create_snippet
     enable :update_issue
@@ -263,7 +273,6 @@ class ProjectPolicy < BasePolicy
     enable :read_confidential_issues
     enable :read_package
     enable :read_product_analytics
-    enable :read_group_timelogs
   end
 
   # We define `:public_user_access` separately because there are cases in gitlab-ee
@@ -347,7 +356,6 @@ class ProjectPolicy < BasePolicy
     enable :update_deployment
     enable :create_release
     enable :update_release
-    enable :daily_statistics
     enable :create_metrics_dashboard_annotation
     enable :delete_metrics_dashboard_annotation
     enable :update_metrics_dashboard_annotation
@@ -411,6 +419,7 @@ class ProjectPolicy < BasePolicy
     enable :update_freeze_period
     enable :destroy_freeze_period
     enable :admin_feature_flags_client
+    enable :update_runners_registration_token
   end
 
   rule { public_project & metrics_dashboard_allowed }.policy do
@@ -509,6 +518,8 @@ class ProjectPolicy < BasePolicy
     enable :read_project_for_iids
   end
 
+  rule { ~project_allowed_for_job_token }.prevent_all
+
   rule { can?(:public_access) }.policy do
     enable :read_package
     enable :read_project
diff --git a/app/policies/timelog_policy.rb b/app/policies/timelog_policy.rb
index 0598817d4e0..f71c4204639 100644
--- a/app/policies/timelog_policy.rb
+++ b/app/policies/timelog_policy.rb
@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 class TimelogPolicy < BasePolicy
-  delegate { @subject.issuable.resource_parent }
+  delegate { @subject.issuable }
 end
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-06-16 18:25:58 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-06-16 18:25:58 +0000
commit	a5f4bba440d7f9ea47046a0a561d49adf0a1e6d4 (patch)
tree	fb69158581673816a8cd895f9d352dcb3c678b1e /app/policies
parent	d16b2e8639e99961de6ddc93909f3bb5c1445ba1 (diff)
download	gitlab-ce-a5f4bba440d7f9ea47046a0a561d49adf0a1e6d4.tar.gz