Add latest changes from gitlab-org/gitlab@15-1-stable-eev15.1.0-rc42

6 files changed, 41 insertions, 9 deletions

diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 9aae295aea7..6ca30ba5dab 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -76,7 +76,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy
   with_scope :subject
   condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? }
 
-  condition(:crm_enabled, score: 0, scope: :subject) { Feature.enabled?(:customer_relations, @subject) && @subject.crm_enabled? }
+  condition(:crm_enabled, score: 0, scope: :subject) { @subject.crm_enabled? }
 
   condition(:group_runner_registration_allowed) do
     Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('group')
diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb
index 4e6df79773e..f1efcb25331 100644
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -13,7 +13,9 @@ class IssuablePolicy < BasePolicy
 
   condition(:is_author) { @subject&.author == @user }
 
-  rule { can?(:guest_access) & assignee_or_author }.policy do
+  condition(:is_incident) { @subject.incident? }
+
+  rule { can?(:guest_access) & assignee_or_author & ~is_incident }.policy do
     enable :read_issue
     enable :update_issue
     enable :reopen_issue
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index a341d1ef661..2b6dcc56fa0 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -15,7 +15,7 @@ class IssuePolicy < IssuablePolicy
   desc "Project belongs to a group, crm is enabled and user can read contacts in the root group"
   condition(:can_read_crm_contacts, scope: :subject) do
     subject.project.group&.crm_enabled? &&
-      @user.can?(:read_crm_contact, @subject.project.root_ancestor)
+      (@user&.can?(:read_crm_contact, @subject.project.root_ancestor) || @user&.support_bot?)
   end
 
   desc "Issue is confidential"
diff --git a/app/policies/packages/cleanup/policy_policy.rb b/app/policies/packages/cleanup/policy_policy.rb
new file mode 100644
index 00000000000..6c2aacef174
--- /dev/null
+++ b/app/policies/packages/cleanup/policy_policy.rb
@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Packages
+  module Cleanup
+    class PolicyPolicy < BasePolicy
+      delegate { @subject.project }
+    end
+  end
+end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 7c439fe8b29..3bce26be756 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -4,12 +4,6 @@ class ProjectPolicy < BasePolicy
   include CrudPolicyHelpers
   include ReadonlyAbilities
 
-  desc "User is a project owner"
-  condition :owner do
-    (project.owner.present? && project.owner == @user) ||
-      project.group&.has_owner?(@user)
-  end
-
   desc "Project has public builds enabled"
   condition(:public_builds, scope: :subject, score: 0) { project.public_builds? }
 
@@ -30,6 +24,17 @@ class ProjectPolicy < BasePolicy
   desc "User has maintainer access"
   condition(:maintainer) { team_access_level >= Gitlab::Access::MAINTAINER }
 
+  desc "User has owner access"
+  condition :owner do
+    owner_of_personal_namespace = project.owner.present? && project.owner == @user
+
+    unless owner_of_personal_namespace
+      group_or_project_owner = team_access_level >= Gitlab::Access::OWNER
+    end
+
+    owner_of_personal_namespace || group_or_project_owner
+  end
+
   desc "User is a project bot"
   condition(:project_bot) { user.project_bot? && team_member? }
 
@@ -198,6 +203,10 @@ class ProjectPolicy < BasePolicy
     Feature.disabled?(:runner_registration_control) || Gitlab::CurrentSettings.valid_runner_registrars.include?('project')
   end
 
+  condition :registry_enabled do
+    Gitlab.config.registry.enabled
+  end
+
   # `:read_project` may be prevented in EE, but `:read_project_for_iids` should
   # not.
   rule { guest | admin }.enable :read_project_for_iids
@@ -236,6 +245,7 @@ class ProjectPolicy < BasePolicy
     enable :set_warn_about_potentially_unwanted_characters
 
     enable :register_project_runners
+    enable :manage_owners
   end
 
   rule { can?(:guest_access) }.policy do
@@ -423,6 +433,7 @@ class ProjectPolicy < BasePolicy
 
   rule { can?(:maintainer_access) }.policy do
     enable :destroy_package
+    enable :admin_package
     enable :admin_issue_board
     enable :push_to_delete_protected_branch
     enable :update_snippet
@@ -658,6 +669,7 @@ class ProjectPolicy < BasePolicy
     enable :read_design
     enable :read_design_activity
     enable :read_issue_link
+    enable :read_work_item
   end
 
   rule { can?(:developer_access) }.policy do
@@ -752,6 +764,10 @@ class ProjectPolicy < BasePolicy
     enable :import_project_members_from_another_project
   end
 
+  rule { registry_enabled & can?(:admin_container_image) }.policy do
+    enable :view_package_registry_project_settings
+  end
+
   private
 
   def user_is_user?
diff --git a/app/policies/work_item_policy.rb b/app/policies/work_item_policy.rb
index e191e8d26ca..ea7559592e1 100644
--- a/app/policies/work_item_policy.rb
+++ b/app/policies/work_item_policy.rb
@@ -8,4 +8,9 @@ class WorkItemPolicy < IssuePolicy
   rule { can?(:update_issue) }.enable :update_work_item
 
   rule { can?(:read_issue) }.enable :read_work_item
+  # because IssuePolicy delegates to ProjectPolicy and
+  # :read_work_item is enabled in ProjectPolicy too, we
+  # need to make sure we also prevent this rule if read_issue
+  # is prevented
+  rule { ~can?(:read_issue) }.prevent :read_work_item
 end