diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-01 07:28:22 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2022-06-01 07:28:28 +0000 |
commit | 37f194bbc19045abe013a58274494c1a6c8bbdd5 (patch) | |
tree | 99ae3d2a13d8d5592c8fabc7ed38d5117dbfe163 /app/policies | |
parent | de222caa576cab3d0894c65531f5822f205877d5 (diff) | |
download | gitlab-ce-37f194bbc19045abe013a58274494c1a6c8bbdd5.tar.gz |
Add latest changes from gitlab-org/security/gitlab@15-0-stable-ee
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/group_policy.rb | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index a4600c720a3..9aae295aea7 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -23,6 +23,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy condition(:parent_share_with_group_locked, scope: :subject) { @subject.parent&.share_with_group_lock? } condition(:can_change_parent_share_with_group_lock) { can?(:change_share_with_group_lock, @subject.parent) } condition(:migration_bot, scope: :user) { @user.migration_bot? } + condition(:can_read_group_member) { can_read_group_member? } desc "User is a project bot" condition(:project_bot) { user.project_bot? && access_level >= GroupMember::GUEST } @@ -128,6 +129,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy rule { ~public_group & ~has_access }.prevent :read_counts + rule { ~can_read_group_member }.policy do + prevent :read_group_member + end + rule { ~can?(:read_group) }.policy do prevent :read_design_activity end @@ -316,6 +321,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy true end + def can_read_group_member? + !(@subject.private? && access_level == GroupMember::NO_ACCESS) + end + def resource_access_token_creation_allowed? resource_access_token_feature_available? && group.root_ancestor.namespace_settings.resource_access_token_creation_allowed? end |