diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-10-21 07:08:36 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-10-21 07:08:36 +0000 |
commit | 48aff82709769b098321c738f3444b9bdaa694c6 (patch) | |
tree | e00c7c43e2d9b603a5a6af576b1685e400410dee /app/policies | |
parent | 879f5329ee916a948223f8f43d77fba4da6cd028 (diff) | |
download | gitlab-ce-48aff82709769b098321c738f3444b9bdaa694c6.tar.gz |
Add latest changes from gitlab-org/gitlab@13-5-stable-eev13.5.0-rc42
Diffstat (limited to 'app/policies')
-rw-r--r-- | app/policies/base_policy.rb | 5 | ||||
-rw-r--r-- | app/policies/ci/bridge_policy.rb | 12 | ||||
-rw-r--r-- | app/policies/ci/build_policy.rb | 2 | ||||
-rw-r--r-- | app/policies/global_policy.rb | 1 | ||||
-rw-r--r-- | app/policies/group_policy.rb | 37 | ||||
-rw-r--r-- | app/policies/issue_policy.rb | 9 | ||||
-rw-r--r-- | app/policies/project_policy.rb | 12 | ||||
-rw-r--r-- | app/policies/releases/evidence_policy.rb | 1 | ||||
-rw-r--r-- | app/policies/terraform/state_policy.rb | 9 | ||||
-rw-r--r-- | app/policies/wiki_policy.rb | 6 |
10 files changed, 79 insertions, 15 deletions
diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb index 13d732e4edd..1c93073025d 100644 --- a/app/policies/base_policy.rb +++ b/app/policies/base_policy.rb @@ -27,10 +27,7 @@ class BasePolicy < DeclarativePolicy::Base desc "User email is unconfirmed or user account is locked" with_options scope: :user, score: 0 - condition(:inactive) do - Feature.enabled?(:inactive_policy_condition, default_enabled: true) && - @user&.confirmation_required_on_sign_in? || @user&.access_locked? - end + condition(:inactive) { @user&.confirmation_required_on_sign_in? || @user&.access_locked? } with_options scope: :user, score: 0 condition(:external_user) { @user.nil? || @user.external? } diff --git a/app/policies/ci/bridge_policy.rb b/app/policies/ci/bridge_policy.rb new file mode 100644 index 00000000000..37a07ea8aaf --- /dev/null +++ b/app/policies/ci/bridge_policy.rb @@ -0,0 +1,12 @@ +# frozen_string_literal: true + +module Ci + class BridgePolicy < CommitStatusPolicy + condition(:can_update_downstream_branch) do + ::Gitlab::UserAccess.new(@user, container: @subject.downstream_project) + .can_update_branch?(@subject.target_revision_ref) + end + + rule { can_update_downstream_branch }.enable :play_job + end +end diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb index b3950c6a0e3..3efc07421e4 100644 --- a/app/policies/ci/build_policy.rb +++ b/app/policies/ci/build_policy.rb @@ -60,6 +60,8 @@ module Ci rule { can?(:update_build) & terminal }.enable :create_build_terminal + rule { can?(:update_build) }.enable :play_job + rule { is_web_ide_terminal & can?(:create_web_ide_terminal) & (admin | owner_of_job) }.policy do enable :read_web_ide_terminal enable :update_web_ide_terminal diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb index de69636b078..c1ea4dddb51 100644 --- a/app/policies/global_policy.rb +++ b/app/policies/global_policy.rb @@ -98,6 +98,7 @@ class GlobalPolicy < BasePolicy rule { admin }.policy do enable :read_custom_attribute enable :update_custom_attribute + enable :approve_user end # We can't use `read_statistics` because the user may have different permissions for different projects diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index c98e82efef7..f9ec026a6d2 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -46,6 +46,19 @@ class GroupPolicy < BasePolicy group_projects_for(user: @user, group: @subject, only_owned: false).any? { |p| p.design_management_enabled? } end + desc "Deploy token with read_package_registry scope" + condition(:read_package_registry_deploy_token) do + @user.is_a?(DeployToken) && @user.groups.include?(@subject) && @user.read_package_registry + end + + desc "Deploy token with write_package_registry scope" + condition(:write_package_registry_deploy_token) do + @user.is_a?(DeployToken) && @user.groups.include?(@subject) && @user.write_package_registry + end + + with_scope :subject + condition(:resource_access_token_available) { resource_access_token_available? } + rule { design_management_enabled }.policy do enable :read_design_activity end @@ -91,7 +104,6 @@ class GroupPolicy < BasePolicy rule { developer }.policy do enable :admin_milestone - enable :read_package enable :create_metrics_dashboard_annotation enable :delete_metrics_dashboard_annotation enable :update_metrics_dashboard_annotation @@ -105,6 +117,7 @@ class GroupPolicy < BasePolicy enable :admin_issue enable :read_metrics_dashboard_annotation enable :read_prometheus + enable :read_package end rule { maintainer }.policy do @@ -167,6 +180,20 @@ class GroupPolicy < BasePolicy rule { maintainer & can?(:create_projects) }.enable :transfer_projects + rule { read_package_registry_deploy_token }.policy do + enable :read_package + enable :read_group + end + + rule { write_package_registry_deploy_token }.policy do + enable :create_package + enable :read_group + end + + rule { resource_access_token_available & can?(:admin_group) }.policy do + enable :admin_resource_access_tokens + end + def access_level return GroupMember::NO_ACCESS if @user.nil? return GroupMember::NO_ACCESS unless user_is_user? @@ -183,6 +210,14 @@ class GroupPolicy < BasePolicy def user_is_user? user.is_a?(User) end + + def group + @subject + end + + def resource_access_token_available? + true + end end GroupPolicy.prepend_if_ee('EE::GroupPolicy') diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb index b02bb8621ed..44c448eb601 100644 --- a/app/policies/issue_policy.rb +++ b/app/policies/issue_policy.rb @@ -15,9 +15,6 @@ class IssuePolicy < IssuablePolicy desc "Issue is confidential" condition(:confidential, scope: :subject) { @subject.confidential? } - desc "Issue has moved" - condition(:moved) { @subject.moved? } - rule { confidential & ~can_read_confidential }.policy do prevent(*create_read_update_admin_destroy(:issue)) prevent :read_issue_iid @@ -38,12 +35,6 @@ class IssuePolicy < IssuablePolicy rule { ~can?(:read_design) }.policy do prevent :move_design end - - rule { locked | moved }.policy do - prevent :create_design - prevent :move_design - prevent :destroy_design - end end IssuePolicy.prepend_if_ee('EE::IssuePolicy') diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 87ee7d201e4..59e2d617bf7 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -104,6 +104,9 @@ class ProjectPolicy < BasePolicy with_scope :subject condition(:service_desk_enabled) { @subject.service_desk_enabled? } + with_scope :subject + condition(:resource_access_token_available) { resource_access_token_available? } + # We aren't checking `:read_issue` or `:read_merge_request` in this case # because it could be possible for a user to see an issuable-iid # (`:read_issue_iid` or `:read_merge_request_iid`) but then wouldn't be @@ -237,7 +240,6 @@ class ProjectPolicy < BasePolicy enable :read_merge_request enable :read_sentry_issue enable :update_sentry_issue - enable :read_incidents enable :read_prometheus enable :read_metrics_dashboard_annotation enable :metrics_dashboard @@ -589,6 +591,10 @@ class ProjectPolicy < BasePolicy prevent :read_project end + rule { resource_access_token_available & can?(:admin_project) }.policy do + enable :admin_resource_access_tokens + end + private def user_is_user? @@ -663,6 +669,10 @@ class ProjectPolicy < BasePolicy end end + def resource_access_token_available? + true + end + def project @subject end diff --git a/app/policies/releases/evidence_policy.rb b/app/policies/releases/evidence_policy.rb index 701913e6fe4..3e35f2f5e87 100644 --- a/app/policies/releases/evidence_policy.rb +++ b/app/policies/releases/evidence_policy.rb @@ -15,6 +15,7 @@ module Releases # - Project # - Milestones # - Issues + # TODO: remove issues from this check: https://gitlab.com/gitlab-org/gitlab/-/issues/259674 condition(:allowed_to_read_evidence) do can?(:read_release) && can?(:download_code) && diff --git a/app/policies/terraform/state_policy.rb b/app/policies/terraform/state_policy.rb new file mode 100644 index 00000000000..ba6109e5975 --- /dev/null +++ b/app/policies/terraform/state_policy.rb @@ -0,0 +1,9 @@ +# frozen_string_literal: true + +module Terraform + class StatePolicy < BasePolicy + alias_method :terraform_state, :subject + + delegate { terraform_state.project } + end +end diff --git a/app/policies/wiki_policy.rb b/app/policies/wiki_policy.rb new file mode 100644 index 00000000000..a551439d0d4 --- /dev/null +++ b/app/policies/wiki_policy.rb @@ -0,0 +1,6 @@ +# frozen_string_literal: true + +class WikiPolicy < ::BasePolicy + # Wiki policies are delegated to their container objects (Project or Group) + delegate { subject.container } +end |