summaryrefslogtreecommitdiff
path: root/app/policies
diff options
context:
space:
mode:
authorGitLab Bot <gitlab-bot@gitlab.com>2021-05-19 15:44:42 +0000
committerGitLab Bot <gitlab-bot@gitlab.com>2021-05-19 15:44:42 +0000
commit4555e1b21c365ed8303ffb7a3325d773c9b8bf31 (patch)
tree5423a1c7516cffe36384133ade12572cf709398d /app/policies
parente570267f2f6b326480d284e0164a6464ba4081bc (diff)
downloadgitlab-ce-4555e1b21c365ed8303ffb7a3325d773c9b8bf31.tar.gz
Add latest changes from gitlab-org/gitlab@13-12-stable-eev13.12.0-rc42
Diffstat (limited to 'app/policies')
-rw-r--r--app/policies/base_policy.rb4
-rw-r--r--app/policies/ci/build_policy.rb9
-rw-r--r--app/policies/ci/stage_policy.rb7
-rw-r--r--app/policies/clusters/instance_policy.rb2
-rw-r--r--app/policies/concerns/policy_actor.rb2
-rw-r--r--app/policies/concerns/readonly_abilities.rb3
-rw-r--r--app/policies/environment_policy.rb2
-rw-r--r--app/policies/global_policy.rb2
-rw-r--r--app/policies/group_member_policy.rb2
-rw-r--r--app/policies/group_policy.rb2
-rw-r--r--app/policies/identity_provider_policy.rb2
-rw-r--r--app/policies/integration_policy.rb (renamed from app/policies/service_policy.rb)2
-rw-r--r--app/policies/issuable_policy.rb2
-rw-r--r--app/policies/issue_policy.rb2
-rw-r--r--app/policies/merge_request_policy.rb2
-rw-r--r--app/policies/namespace_policy.rb2
-rw-r--r--app/policies/nil_policy.rb5
-rw-r--r--app/policies/packages/maven/metadatum_policy.rb8
-rw-r--r--app/policies/packages/nuget/metadatum_policy.rb8
-rw-r--r--app/policies/project_member_policy.rb6
-rw-r--r--app/policies/project_policy.rb5
-rw-r--r--app/policies/project_snippet_policy.rb2
-rw-r--r--app/policies/protected_branch_policy.rb2
-rw-r--r--app/policies/user_policy.rb2
24 files changed, 56 insertions, 29 deletions
diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb
index 1c19751cf0d..0f7a6b852ab 100644
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -1,7 +1,5 @@
# frozen_string_literal: true
-require_dependency 'declarative_policy'
-
class BasePolicy < DeclarativePolicy::Base
desc "User is an instance admin"
with_options scope: :user, score: 0
@@ -68,4 +66,4 @@ class BasePolicy < DeclarativePolicy::Base
condition(:is_gitlab_com) { ::Gitlab.dev_env_or_com? }
end
-BasePolicy.prepend_if_ee('EE::BasePolicy')
+BasePolicy.prepend_mod_with('BasePolicy')
diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index 65f2a70672b..6162a31c118 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -21,7 +21,7 @@ module Ci
end
# overridden in EE
- condition(:protected_environment_access) do
+ condition(:protected_environment) do
false
end
@@ -68,7 +68,10 @@ module Ci
rule { project_read_build }.enable :read_build_trace
rule { debug_mode & ~project_update_build }.prevent :read_build_trace
- rule { ~protected_environment_access & (protected_ref | archived) }.policy do
+ # Authorizing the user to access to protected entities.
+ # There is a "jailbreak" mode to exceptionally bypass the authorization,
+ # however, you should NEVER allow it, rather suspect it's a wrong feature/product design.
+ rule { ~can?(:jailbreak) & (archived | protected_ref | protected_environment) }.policy do
prevent :update_build
prevent :update_commit_status
prevent :erase_build
@@ -108,4 +111,4 @@ module Ci
end
end
-Ci::BuildPolicy.prepend_if_ee('EE::Ci::BuildPolicy')
+Ci::BuildPolicy.prepend_mod_with('Ci::BuildPolicy')
diff --git a/app/policies/ci/stage_policy.rb b/app/policies/ci/stage_policy.rb
new file mode 100644
index 00000000000..1e774df9f58
--- /dev/null
+++ b/app/policies/ci/stage_policy.rb
@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module Ci
+ class StagePolicy < BasePolicy
+ delegate :pipeline
+ end
+end
diff --git a/app/policies/clusters/instance_policy.rb b/app/policies/clusters/instance_policy.rb
index d8e8f9ff2c1..3c5ca4bf4e1 100644
--- a/app/policies/clusters/instance_policy.rb
+++ b/app/policies/clusters/instance_policy.rb
@@ -13,4 +13,4 @@ module Clusters
end
end
-Clusters::InstancePolicy.prepend_if_ee('EE::Clusters::InstancePolicy')
+Clusters::InstancePolicy.prepend_mod_with('Clusters::InstancePolicy')
diff --git a/app/policies/concerns/policy_actor.rb b/app/policies/concerns/policy_actor.rb
index 75849fb10c8..cd19b46ad6c 100644
--- a/app/policies/concerns/policy_actor.rb
+++ b/app/policies/concerns/policy_actor.rb
@@ -82,4 +82,4 @@ module PolicyActor
end
end
-PolicyActor.prepend_if_ee('EE::PolicyActor')
+PolicyActor.prepend_mod_with('PolicyActor')
diff --git a/app/policies/concerns/readonly_abilities.rb b/app/policies/concerns/readonly_abilities.rb
index 0303d4cff14..300f17088b7 100644
--- a/app/policies/concerns/readonly_abilities.rb
+++ b/app/policies/concerns/readonly_abilities.rb
@@ -13,6 +13,7 @@ module ReadonlyAbilities
create_merge_request_from
create_merge_request_in
award_emoji
+ create_incident
].freeze
READONLY_FEATURES = %i[
@@ -49,4 +50,4 @@ module ReadonlyAbilities
end
end
-ReadonlyAbilities::ClassMethods.prepend_if_ee('EE::ReadonlyAbilities::ClassMethods')
+ReadonlyAbilities::ClassMethods.prepend_mod_with('ReadonlyAbilities::ClassMethods')
diff --git a/app/policies/environment_policy.rb b/app/policies/environment_policy.rb
index f0187a39687..e9e3517b3da 100644
--- a/app/policies/environment_policy.rb
+++ b/app/policies/environment_policy.rb
@@ -21,4 +21,4 @@ class EnvironmentPolicy < BasePolicy
rule { ~stopped }.prevent(:destroy_environment)
end
-EnvironmentPolicy.prepend_if_ee('EE::EnvironmentPolicy')
+EnvironmentPolicy.prepend_mod_with('EnvironmentPolicy')
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index d16c4734b2c..85263ec7c87 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -113,4 +113,4 @@ class GlobalPolicy < BasePolicy
rule { external_user }.prevent :create_snippet
end
-GlobalPolicy.prepend_if_ee('EE::GlobalPolicy')
+GlobalPolicy.prepend_mod_with('GlobalPolicy')
diff --git a/app/policies/group_member_policy.rb b/app/policies/group_member_policy.rb
index 8a4cae232a0..f7a7286aba7 100644
--- a/app/policies/group_member_policy.rb
+++ b/app/policies/group_member_policy.rb
@@ -30,4 +30,4 @@ class GroupMemberPolicy < BasePolicy
end
end
-GroupMemberPolicy.prepend_if_ee('EE::GroupMemberPolicy')
+GroupMemberPolicy.prepend_mod_with('GroupMemberPolicy')
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index fc24525ade7..821fabec266 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -258,4 +258,4 @@ class GroupPolicy < BasePolicy
end
end
-GroupPolicy.prepend_if_ee('EE::GroupPolicy')
+GroupPolicy.prepend_mod_with('GroupPolicy')
diff --git a/app/policies/identity_provider_policy.rb b/app/policies/identity_provider_policy.rb
index 6d6dcaebff8..c539fc64d3f 100644
--- a/app/policies/identity_provider_policy.rb
+++ b/app/policies/identity_provider_policy.rb
@@ -14,4 +14,4 @@ class IdentityProviderPolicy < BasePolicy
rule { protected_provider }.prevent(:unlink)
end
-IdentityProviderPolicy.prepend_if_ee('EE::IdentityProviderPolicy')
+IdentityProviderPolicy.prepend_mod_with('IdentityProviderPolicy')
diff --git a/app/policies/service_policy.rb b/app/policies/integration_policy.rb
index 61aff444620..c1199d915ea 100644
--- a/app/policies/service_policy.rb
+++ b/app/policies/integration_policy.rb
@@ -1,5 +1,5 @@
# frozen_string_literal: true
-class ServicePolicy < BasePolicy
+class IntegrationPolicy < BasePolicy
delegate(:project)
end
diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb
index f49a6ee8498..61263e47d7c 100644
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -28,4 +28,4 @@ class IssuablePolicy < BasePolicy
end
end
-IssuablePolicy.prepend_if_ee('EE::IssuablePolicy')
+IssuablePolicy.prepend_mod_with('IssuablePolicy')
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index 183f4d8f919..6eec03d6d75 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -41,4 +41,4 @@ class IssuePolicy < IssuablePolicy
end
end
-IssuePolicy.prepend_if_ee('EE::IssuePolicy')
+IssuePolicy.prepend_mod_with('IssuePolicy')
diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb
index e3fb54172f8..e53a916f3ca 100644
--- a/app/policies/merge_request_policy.rb
+++ b/app/policies/merge_request_policy.rb
@@ -29,4 +29,4 @@ class MergeRequestPolicy < IssuablePolicy
end
end
-MergeRequestPolicy.prepend_if_ee('EE::MergeRequestPolicy')
+MergeRequestPolicy.prepend_mod_with('MergeRequestPolicy')
diff --git a/app/policies/namespace_policy.rb b/app/policies/namespace_policy.rb
index 13eb4a13cac..dcbeda9f5d3 100644
--- a/app/policies/namespace_policy.rb
+++ b/app/policies/namespace_policy.rb
@@ -23,4 +23,4 @@ class NamespacePolicy < BasePolicy
rule { (owner | admin) & can?(:create_projects) }.enable :transfer_projects
end
-NamespacePolicy.prepend_if_ee('EE::NamespacePolicy')
+NamespacePolicy.prepend_mod_with('NamespacePolicy')
diff --git a/app/policies/nil_policy.rb b/app/policies/nil_policy.rb
deleted file mode 100644
index fc969f8cd05..00000000000
--- a/app/policies/nil_policy.rb
+++ /dev/null
@@ -1,5 +0,0 @@
-# frozen_string_literal: true
-
-class NilPolicy < BasePolicy
- rule { default }.prevent_all
-end
diff --git a/app/policies/packages/maven/metadatum_policy.rb b/app/policies/packages/maven/metadatum_policy.rb
new file mode 100644
index 00000000000..5dc90209321
--- /dev/null
+++ b/app/policies/packages/maven/metadatum_policy.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+module Packages
+ module Maven
+ class MetadatumPolicy < BasePolicy
+ delegate { @subject.package }
+ end
+ end
+end
diff --git a/app/policies/packages/nuget/metadatum_policy.rb b/app/policies/packages/nuget/metadatum_policy.rb
new file mode 100644
index 00000000000..cdf1283c11a
--- /dev/null
+++ b/app/policies/packages/nuget/metadatum_policy.rb
@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+module Packages
+ module Nuget
+ class MetadatumPolicy < BasePolicy
+ delegate { @subject.package }
+ end
+ end
+end
diff --git a/app/policies/project_member_policy.rb b/app/policies/project_member_policy.rb
index ca33b95e523..91f1eb35506 100644
--- a/app/policies/project_member_policy.rb
+++ b/app/policies/project_member_policy.rb
@@ -8,7 +8,11 @@ class ProjectMemberPolicy < BasePolicy
condition(:project_bot) { @subject.user&.project_bot? }
rule { anonymous }.prevent_all
- rule { target_is_owner }.prevent_all
+
+ rule { target_is_owner }.policy do
+ prevent :update_project_member
+ prevent :destroy_project_member
+ end
rule { ~project_bot & can?(:admin_project_member) }.policy do
enable :update_project_member
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index c577c8c8471..1ce19511bef 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -171,6 +171,7 @@ class ProjectPolicy < BasePolicy
rule { guest | admin }.enable :read_project_for_iids
rule { admin }.enable :update_max_artifacts_size
+ rule { admin }.enable :read_storage_disk_path
rule { can?(:read_all_resources) }.enable :read_confidential_issues
rule { guest }.enable :guest_access
@@ -226,6 +227,8 @@ class ProjectPolicy < BasePolicy
enable :read_insights
end
+ rule { can?(:guest_access) & can?(:create_issue) }.enable :create_incident
+
# These abilities are not allowed to admins that are not members of the project,
# that's why they are defined separately.
rule { guest & can?(:download_code) }.enable :build_download_code
@@ -745,4 +748,4 @@ class ProjectPolicy < BasePolicy
end
end
-ProjectPolicy.prepend_if_ee('EE::ProjectPolicy')
+ProjectPolicy.prepend_mod_with('ProjectPolicy')
diff --git a/app/policies/project_snippet_policy.rb b/app/policies/project_snippet_policy.rb
index 869f4716298..b8f0be9b4c5 100644
--- a/app/policies/project_snippet_policy.rb
+++ b/app/policies/project_snippet_policy.rb
@@ -51,4 +51,4 @@ class ProjectSnippetPolicy < BasePolicy
rule { ~can?(:read_snippet) }.prevent :create_note
end
-ProjectSnippetPolicy.prepend_if_ee('EE::ProjectSnippetPolicy')
+ProjectSnippetPolicy.prepend_mod_with('ProjectSnippetPolicy')
diff --git a/app/policies/protected_branch_policy.rb b/app/policies/protected_branch_policy.rb
index 1a5c6528b82..8ad06653e5c 100644
--- a/app/policies/protected_branch_policy.rb
+++ b/app/policies/protected_branch_policy.rb
@@ -10,4 +10,4 @@ class ProtectedBranchPolicy < BasePolicy
end
end
-ProtectedBranchPolicy.prepend_if_ee('EE::ProtectedBranchPolicy')
+ProtectedBranchPolicy.prepend_mod_with('ProtectedBranchPolicy')
diff --git a/app/policies/user_policy.rb b/app/policies/user_policy.rb
index 48c2bd3f0bd..067f0f6a9d2 100644
--- a/app/policies/user_policy.rb
+++ b/app/policies/user_policy.rb
@@ -33,4 +33,4 @@ class UserPolicy < BasePolicy
rule { (user_is_self | admin) & ~blocked }.enable :create_user_personal_access_token
end
-UserPolicy.prepend_if_ee('EE::UserPolicy')
+UserPolicy.prepend_mod_with('UserPolicy')
View Lorry Controller Status