summaryrefslogtreecommitdiff
path: root/app/policies
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2022-12-20 14:22:11 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2022-12-20 14:22:11 +0000
commit0c872e02b2c822e3397515ec324051ff540f0cd5 (patch)
treece2fb6ce7030e4dad0f4118d21ab6453e5938cdd /app/policies
parentf7e05a6853b12f02911494c4b3fe53d9540d74fc (diff)
downloadgitlab-ce-0c872e02b2c822e3397515ec324051ff540f0cd5.tar.gz
Add latest changes from gitlab-org/gitlab@15-7-stable-eev15.7.0-rc42
Diffstat (limited to 'app/policies')
-rw-r--r--app/policies/base_policy.rb11
-rw-r--r--app/policies/ci/freeze_period_policy.rb2
-rw-r--r--app/policies/ci/pipeline_schedule_variable_policy.rb7
-rw-r--r--app/policies/commit_signatures/ssh_signature_policy.rb7
-rw-r--r--app/policies/concerns/archived_abilities.rb (renamed from app/policies/concerns/readonly_abilities.rb)16
-rw-r--r--app/policies/group_member_policy.rb2
-rw-r--r--app/policies/group_policy.rb5
-rw-r--r--app/policies/issue_policy.rb19
-rw-r--r--app/policies/merge_request_policy.rb14
-rw-r--r--app/policies/namespaces/user_namespace_policy.rb3
-rw-r--r--app/policies/note_policy.rb8
-rw-r--r--app/policies/project_member_policy.rb2
-rw-r--r--app/policies/project_policy.rb35
13 files changed, 87 insertions, 44 deletions
diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb
index f8e7a912896..1ce866bd910 100644
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -19,6 +19,14 @@ class BasePolicy < DeclarativePolicy::Base
with_options scope: :user, score: 0
condition(:deactivated) { @user&.deactivated? }
+ desc "User is bot"
+ with_options scope: :user, score: 0
+ condition(:bot) { @user&.bot? }
+
+ desc "User is alert bot"
+ with_options scope: :user, score: 0
+ condition(:alert_bot) { @user&.alert_bot? }
+
desc "User is support bot"
with_options scope: :user, score: 0
condition(:support_bot) { @user&.support_bot? }
@@ -50,9 +58,6 @@ class BasePolicy < DeclarativePolicy::Base
::Gitlab::ExternalAuthorization.perform_check?
end
- with_options scope: :user, score: 0
- condition(:alert_bot) { @user&.alert_bot? }
-
rule { external_authorization_enabled & ~can?(:read_all_resources) }.policy do
prevent :read_cross_project
end
diff --git a/app/policies/ci/freeze_period_policy.rb b/app/policies/ci/freeze_period_policy.rb
index 60e53a7b2f9..9e2cca5e5a2 100644
--- a/app/policies/ci/freeze_period_policy.rb
+++ b/app/policies/ci/freeze_period_policy.rb
@@ -2,6 +2,6 @@
module Ci
class FreezePeriodPolicy < BasePolicy
- delegate { @subject.resource_parent }
+ delegate { @subject.project }
end
end
diff --git a/app/policies/ci/pipeline_schedule_variable_policy.rb b/app/policies/ci/pipeline_schedule_variable_policy.rb
new file mode 100644
index 00000000000..dbbf9221e77
--- /dev/null
+++ b/app/policies/ci/pipeline_schedule_variable_policy.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Ci
+ class PipelineScheduleVariablePolicy < BasePolicy
+ delegate :pipeline_schedule
+ end
+end
diff --git a/app/policies/commit_signatures/ssh_signature_policy.rb b/app/policies/commit_signatures/ssh_signature_policy.rb
new file mode 100644
index 00000000000..34c8f123029
--- /dev/null
+++ b/app/policies/commit_signatures/ssh_signature_policy.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module CommitSignatures
+ class SshSignaturePolicy < BasePolicy
+ delegate { @subject.project }
+ end
+end
diff --git a/app/policies/concerns/readonly_abilities.rb b/app/policies/concerns/archived_abilities.rb
index 300f17088b7..b4dfad599c7 100644
--- a/app/policies/concerns/readonly_abilities.rb
+++ b/app/policies/concerns/archived_abilities.rb
@@ -1,9 +1,9 @@
# frozen_string_literal: true
-module ReadonlyAbilities
+module ArchivedAbilities
extend ActiveSupport::Concern
- READONLY_ABILITIES = %i[
+ ARCHIVED_ABILITIES = %i[
admin_tag
push_code
push_to_delete_protected_branch
@@ -16,7 +16,7 @@ module ReadonlyAbilities
create_incident
].freeze
- READONLY_FEATURES = %i[
+ ARCHIVED_FEATURES = %i[
issue
issue_board_list
merge_request
@@ -40,14 +40,14 @@ module ReadonlyAbilities
].freeze
class_methods do
- def readonly_abilities
- READONLY_ABILITIES
+ def archived_abilities
+ ARCHIVED_ABILITIES
end
- def readonly_features
- READONLY_FEATURES
+ def archived_features
+ ARCHIVED_FEATURES
end
end
end
-ReadonlyAbilities::ClassMethods.prepend_mod_with('ReadonlyAbilities::ClassMethods')
+ArchivedAbilities::ClassMethods.prepend_mod_with('ArchivedAbilities::ClassMethods')
diff --git a/app/policies/group_member_policy.rb b/app/policies/group_member_policy.rb
index f61f758a8e8..78ab9fc750b 100644
--- a/app/policies/group_member_policy.rb
+++ b/app/policies/group_member_policy.rb
@@ -6,7 +6,7 @@ class GroupMemberPolicy < BasePolicy
delegate :group
with_scope :subject
- condition(:last_owner) { @subject.group.member_last_owner?(@subject) || @subject.group.member_last_blocked_owner?(@subject) }
+ condition(:last_owner) { @subject.last_owner_of_the_group? }
condition(:project_bot) { @subject.user&.project_bot? && @subject.group.member?(@subject.user) }
desc "Membership is users' own"
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 806c57bab74..858c145de3f 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -83,8 +83,8 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
with_scope :subject
condition(:crm_enabled, score: 0, scope: :subject) { @subject.crm_enabled? }
- condition(:group_runner_registration_allowed, scope: :global) do
- Gitlab::CurrentSettings.valid_runner_registrars.include?('group')
+ condition(:group_runner_registration_allowed, scope: :subject) do
+ Gitlab::CurrentSettings.valid_runner_registrars.include?('group') && @subject.runner_registration_enabled?
end
rule { can?(:read_group) & design_management_enabled }.policy do
@@ -193,6 +193,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
enable :admin_group_member
enable :change_visibility_level
+ enable :read_usage_quotas
enable :read_group_runners
enable :admin_group_runners
enable :register_group_runners
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index 87db228a698..491eebe9daf 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -9,7 +9,7 @@ class IssuePolicy < IssuablePolicy
desc "User can read confidential issues"
condition(:can_read_confidential) do
- @user && IssueCollection.new([@subject]).visible_to(@user).any?
+ @user && (@user.admin? || can?(:reporter_access) || assignee_or_author?) # rubocop:disable Cop/UserAdmin
end
desc "Project belongs to a group, crm is enabled and user can read contacts in the root group"
@@ -27,6 +27,23 @@ class IssuePolicy < IssuablePolicy
desc "Issue is persisted"
condition(:persisted, scope: :subject) { @subject.persisted? }
+ # accessing notes requires the notes widget to be available for work items(or issue)
+ condition(:notes_widget_enabled, scope: :subject) do
+ @subject.work_item_type.widgets.include?(::WorkItems::Widgets::Notes)
+ end
+
+ rule { ~notes_widget_enabled }.policy do
+ prevent :create_note
+ prevent :read_note
+ prevent :read_internal_note
+ prevent :set_note_created_at
+ prevent :mark_note_as_confidential
+ # these actions on notes are not available on issues/work items yet,
+ # but preventing any action on work item notes as long as there is no notes widget seems reasonable
+ prevent :resolve_note
+ prevent :reposition_note
+ end
+
rule { confidential & ~can_read_confidential }.policy do
prevent(*create_read_update_admin_destroy(:issue))
prevent :read_issue_iid
diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb
index bda327cb661..1759cf057e4 100644
--- a/app/policies/merge_request_policy.rb
+++ b/app/policies/merge_request_policy.rb
@@ -1,6 +1,8 @@
# frozen_string_literal: true
class MergeRequestPolicy < IssuablePolicy
+ condition(:can_approve) { can_approve? }
+
rule { locked }.policy do
prevent :reopen_merge_request
end
@@ -14,10 +16,14 @@ class MergeRequestPolicy < IssuablePolicy
prevent :accept_merge_request
end
- rule { can?(:update_merge_request) & is_project_member }.policy do
+ rule { can_approve }.policy do
enable :approve_merge_request
end
+ rule { can?(:approve_merge_request) & bot }.policy do
+ enable :reset_merge_request_approvals
+ end
+
rule { ~anonymous & can?(:read_merge_request) }.policy do
enable :create_todo
enable :update_subscription
@@ -32,6 +38,12 @@ class MergeRequestPolicy < IssuablePolicy
rule { can?(:admin_merge_request) }.policy do
enable :set_merge_request_metadata
end
+
+ private
+
+ def can_approve?
+ can?(:update_merge_request) && is_project_member?
+ end
end
MergeRequestPolicy.prepend_mod_with('MergeRequestPolicy')
diff --git a/app/policies/namespaces/user_namespace_policy.rb b/app/policies/namespaces/user_namespace_policy.rb
index 89158578ac1..1deeae8241f 100644
--- a/app/policies/namespaces/user_namespace_policy.rb
+++ b/app/policies/namespaces/user_namespace_policy.rb
@@ -5,6 +5,7 @@ module Namespaces
rule { anonymous }.prevent_all
condition(:can_create_personal_project, scope: :user) { @user.can_create_project? }
+ condition(:bot_user_namespace) { @subject.bot_user_namespace? }
condition(:owner) { @subject.owner == @user }
rule { owner | admin }.policy do
@@ -21,6 +22,8 @@ module Namespaces
rule { ~can_create_personal_project }.prevent :create_projects
+ rule { bot_user_namespace }.prevent :create_projects
+
rule { (owner | admin) & can?(:create_projects) }.enable :transfer_projects
end
end
diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb
index 67b57595beb..9fd95bbe42d 100644
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -20,12 +20,20 @@ class NotePolicy < BasePolicy
condition(:confidential, scope: :subject) { @subject.confidential? }
+ # if noteable is a work item it needs to check the notes widget availability
+ condition(:notes_widget_enabled, scope: :subject) do
+ !@subject.noteable.respond_to?(:work_item_type) ||
+ @subject.noteable.work_item_type.widgets.include?(::WorkItems::Widgets::Notes)
+ end
+
# Should be matched with IssuablePolicy#read_internal_note
# and EpicPolicy#read_internal_note
condition(:can_read_confidential) do
access_level >= Gitlab::Access::REPORTER || admin?
end
+ rule { ~notes_widget_enabled }.prevent_all
+
rule { ~editable }.prevent :admin_note
# If user can't read the issue/MR/etc then they should not be allowed to do anything to their own notes
diff --git a/app/policies/project_member_policy.rb b/app/policies/project_member_policy.rb
index bcfc7c87d41..ace74dca448 100644
--- a/app/policies/project_member_policy.rb
+++ b/app/policies/project_member_policy.rb
@@ -5,7 +5,7 @@ class ProjectMemberPolicy < BasePolicy
delegate { @subject.project }
condition(:target_is_holder_of_the_personal_namespace, scope: :subject) do
- @subject.project.personal_namespace_holder?(@subject.user)
+ @subject.holder_of_the_personal_namespace?
end
desc "Membership is users' own access request"
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index bfeb1a602ab..7f67e80e432 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -2,7 +2,7 @@
class ProjectPolicy < BasePolicy
include CrudPolicyHelpers
- include ReadonlyAbilities
+ include ArchivedAbilities
desc "Project has public builds enabled"
condition(:public_builds, scope: :subject, score: 0) { project.public_builds? }
@@ -121,7 +121,7 @@ class ProjectPolicy < BasePolicy
desc "If user is authenticated via CI job token then the target project should be in scope"
condition(:project_allowed_for_job_token) do
- !@user&.from_ci_job_token? || @user.ci_job_token_scope.includes?(project)
+ !@user&.from_ci_job_token? || @user.ci_job_token_scope.allows?(project)
end
with_scope :subject
@@ -369,29 +369,12 @@ class ProjectPolicy < BasePolicy
prevent(:metrics_dashboard)
end
- condition(:split_operations_visibility_permissions) do
- ::Feature.enabled?(:split_operations_visibility_permissions, @subject)
- end
-
- rule { ~split_operations_visibility_permissions & operations_disabled }.policy do
- prevent(*create_read_update_admin_destroy(:feature_flag))
- prevent(*create_read_update_admin_destroy(:environment))
- prevent(*create_read_update_admin_destroy(:sentry_issue))
- prevent(*create_read_update_admin_destroy(:alert_management_alert))
- prevent(*create_read_update_admin_destroy(:cluster))
- prevent(*create_read_update_admin_destroy(:terraform_state))
- prevent(*create_read_update_admin_destroy(:deployment))
- prevent(:metrics_dashboard)
- prevent(:read_pod_logs)
- prevent(:read_prometheus)
- end
-
- rule { split_operations_visibility_permissions & environments_disabled }.policy do
+ rule { environments_disabled }.policy do
prevent(*create_read_update_admin_destroy(:environment))
prevent(*create_read_update_admin_destroy(:deployment))
end
- rule { split_operations_visibility_permissions & feature_flags_disabled }.policy do
+ rule { feature_flags_disabled }.policy do
prevent(*create_read_update_admin_destroy(:feature_flag))
prevent(:admin_feature_flags_user_lists)
prevent(:admin_feature_flags_client)
@@ -401,13 +384,13 @@ class ProjectPolicy < BasePolicy
prevent(*create_read_update_admin_destroy(:release))
end
- rule { split_operations_visibility_permissions & monitor_disabled }.policy do
+ rule { monitor_disabled }.policy do
prevent(:metrics_dashboard)
prevent(*create_read_update_admin_destroy(:sentry_issue))
prevent(*create_read_update_admin_destroy(:alert_management_alert))
end
- rule { split_operations_visibility_permissions & infrastructure_disabled }.policy do
+ rule { infrastructure_disabled }.policy do
prevent(*create_read_update_admin_destroy(:terraform_state))
prevent(*create_read_update_admin_destroy(:cluster))
prevent(:read_pod_logs)
@@ -552,15 +535,15 @@ class ProjectPolicy < BasePolicy
rule { can?(:push_code) }.enable :admin_tag
rule { archived }.policy do
- prevent(*readonly_abilities)
+ prevent(*archived_abilities)
- readonly_features.each do |feature|
+ archived_features.each do |feature|
prevent(*create_update_admin(feature))
end
end
rule { archived & ~pending_delete }.policy do
- readonly_features.each do |feature|
+ archived_features.each do |feature|
prevent(:"destroy_#{feature}")
end
end