Add policy for clusters on group level

- maintainer for group can read, create, update, and admin cluster
- project user, at any level, cannot do anything with group cluster

3 files changed, 7 insertions, 5 deletions

diff --git a/app/policies/clusters/cluster_policy.rb b/app/policies/clusters/cluster_policy.rb
index 147943a3d6c..d6d590687e2 100644
--- a/app/policies/clusters/cluster_policy.rb
+++ b/app/policies/clusters/cluster_policy.rb
@@ -4,11 +4,7 @@ module Clusters
   class ClusterPolicy < BasePolicy
     alias_method :cluster, :subject
 
+    delegate { cluster.group }
     delegate { cluster.project }
-
-    rule { can?(:maintainer_access) }.policy do
-      enable :update_cluster
-      enable :admin_cluster
-    end
   end
 end
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 73c93b22c95..6b4e56ef5e4 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -65,6 +65,10 @@ class GroupPolicy < BasePolicy
     enable :create_projects
     enable :admin_pipeline
     enable :admin_build
+    enable :read_cluster
+    enable :create_cluster
+    enable :update_cluster
+    enable :admin_cluster
   end
 
   rule { owner }.policy do
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index a76a083bceb..1c082945299 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -258,6 +258,8 @@ class ProjectPolicy < BasePolicy
     enable :update_pages
     enable :read_cluster
     enable :create_cluster
+    enable :update_cluster
+    enable :admin_cluster
     enable :create_environment_terminal
   end