Add latest changes from gitlab-org/gitlab@13-2-stable-ee

author: GitLab Bot <gitlab-bot@gitlab.com> 2020-07-20 12:26:25 +0000
committer: GitLab Bot <gitlab-bot@gitlab.com> 2020-07-20 12:26:25 +0000
commit: a09983ae35713f5a2bbb100981116d31ce99826e (patch)
tree: 2ee2af7bd104d57086db360a7e6d8c9d5d43667a /app/policies
parent: 18c5ab32b738c0b6ecb4d0df3994000482f34bd8 (diff)
download: gitlab-ce-a09983ae35713f5a2bbb100981116d31ce99826e.tar.gz
10 files changed, 73 insertions, 10 deletions
diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb
index 2c26ba565ab..13d732e4edd 100644
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -21,6 +21,10 @@ class BasePolicy < DeclarativePolicy::Base
   with_options scope: :user, score: 0
   condition(:deactivated) { @user&.deactivated? }
 
+  desc "User is support bot"
+  with_options scope: :user, score: 0
+  condition(:support_bot) { @user&.support_bot? }
+
   desc "User email is unconfirmed or user account is locked"
   with_options scope: :user, score: 0
   condition(:inactive) do
@@ -54,6 +58,8 @@ class BasePolicy < DeclarativePolicy::Base
   rule { admin }.enable :read_all_resources
 
   rule { default }.enable :read_cross_project
+
+  condition(:is_gitlab_com) { ::Gitlab.dev_env_or_com? }
 end
 
 BasePolicy.prepend_if_ee('EE::BasePolicy')
diff --git a/app/policies/concerns/find_group_projects.rb b/app/policies/concerns/find_group_projects.rb
index e2cb90079c7..aad9081bd7d 100644
--- a/app/policies/concerns/find_group_projects.rb
+++ b/app/policies/concerns/find_group_projects.rb
@@ -3,11 +3,11 @@
 module FindGroupProjects
   extend ActiveSupport::Concern
 
-  def group_projects_for(user:, group:)
+  def group_projects_for(user:, group:, only_owned: true)
     GroupProjectsFinder.new(
       group: group,
       current_user: user,
-      options: { include_subgroups: true, only_owned: true }
+      options: { include_subgroups: true, only_owned: only_owned }
     ).execute
   end
 end
diff --git a/app/policies/concerns/policy_actor.rb b/app/policies/concerns/policy_actor.rb
index f910e04d015..3073a2e5d10 100644
--- a/app/policies/concerns/policy_actor.rb
+++ b/app/policies/concerns/policy_actor.rb
@@ -45,6 +45,10 @@ module PolicyActor
     false
   end
 
+  def support_bot?
+    false
+  end
+
   def deactivated?
     false
   end
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index 03f5a863421..c66f0d199b0 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -105,6 +105,9 @@ class GlobalPolicy < BasePolicy
     enable :update_custom_attribute
   end
 
+  # We can't use `read_statistics` because the user may have different permissions for different projects
+  rule { admin }.enable :use_project_statistics_filters
+
   rule { external_user }.prevent :create_snippet
 end
 
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index b1b52d62b85..62f66093875 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -42,6 +42,14 @@ class GroupPolicy < BasePolicy
     @subject.subgroup_creation_level == ::Gitlab::Access::MAINTAINER_SUBGROUP_ACCESS
   end
 
+  condition(:design_management_enabled) do
+    group_projects_for(user: @user, group: @subject, only_owned: false).any? { |p| p.design_management_enabled? }
+  end
+
+  rule { design_management_enabled }.policy do
+    enable :read_design_activity
+  end
+
   rule { public_group }.policy do
     enable :read_group
     enable :read_package
@@ -59,6 +67,10 @@ class GroupPolicy < BasePolicy
     enable :update_max_artifacts_size
   end
 
+  rule { can?(:read_all_resources) }.policy do
+    enable :read_confidential_issues
+  end
+
   rule { has_projects }.policy do
     enable :read_group
   end
@@ -70,6 +82,10 @@ class GroupPolicy < BasePolicy
     enable :read_board
   end
 
+  rule { ~can?(:read_group) }.policy do
+    prevent :read_design_activity
+  end
+
   rule { has_access }.enable :read_namespace
 
   rule { developer }.policy do
@@ -87,6 +103,7 @@ class GroupPolicy < BasePolicy
     enable :admin_list
     enable :admin_issue
     enable :read_metrics_dashboard_annotation
+    enable :read_prometheus
   end
 
   rule { maintainer }.policy do
diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb
index e2aca2a37d5..e5ac228b0ee 100644
--- a/app/policies/merge_request_policy.rb
+++ b/app/policies/merge_request_policy.rb
@@ -10,6 +10,10 @@ class MergeRequestPolicy < IssuablePolicy
   # it would not be safe to prevent :create_note there, since
   # note permissions are shared, and this would apply too broadly.
   rule { ~can?(:read_merge_request) }.prevent :create_note
+
+  rule { can?(:update_merge_request) }.policy do
+    enable :approve_merge_request
+  end
 end
 
 MergeRequestPolicy.prepend_if_ee('EE::MergeRequestPolicy')
diff --git a/app/policies/packages/package_policy.rb b/app/policies/packages/package_policy.rb
new file mode 100644
index 00000000000..8eef280c640
--- /dev/null
+++ b/app/policies/packages/package_policy.rb
@@ -0,0 +1,6 @@
+# frozen_string_literal: true
+module Packages
+  class PackagePolicy < BasePolicy
+    delegate { @subject.project }
+  end
+end
diff --git a/app/policies/project_member_policy.rb b/app/policies/project_member_policy.rb
index f2f18406bd3..ca33b95e523 100644
--- a/app/policies/project_member_policy.rb
+++ b/app/policies/project_member_policy.rb
@@ -5,14 +5,17 @@ class ProjectMemberPolicy < BasePolicy
 
   condition(:target_is_owner, scope: :subject) { @subject.user == @subject.project.owner }
   condition(:target_is_self) { @user && @subject.user == @user }
+  condition(:project_bot) { @subject.user&.project_bot? }
 
   rule { anonymous }.prevent_all
   rule { target_is_owner }.prevent_all
 
-  rule { can?(:admin_project_member) }.policy do
+  rule { ~project_bot & can?(:admin_project_member) }.policy do
     enable :update_project_member
     enable :destroy_project_member
   end
 
+  rule { project_bot & can?(:admin_project_member) }.enable :destroy_project_bot_member
+
   rule { target_is_self }.enable :destroy_project_member
 end
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index f87c72007ec..39b39bd2fce 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -123,6 +123,9 @@ class ProjectPolicy < BasePolicy
     !@subject.design_management_enabled?
   end
 
+  with_scope :subject
+  condition(:service_desk_enabled) { @subject.service_desk_enabled? }
+
   # We aren't checking `:read_issue` or `:read_merge_request` in this case
   # because it could be possible for a user to see an issuable-iid
   # (`:read_issue_iid` or `:read_merge_request_iid`) but then wouldn't be
@@ -151,6 +154,9 @@ class ProjectPolicy < BasePolicy
     ::Feature.enabled?(:build_service_proxy, @subject)
   end
 
+  with_scope :subject
+  condition(:packages_disabled) { !@subject.packages_enabled }
+
   features = %w[
     merge_requests
     issues
@@ -173,6 +179,7 @@ class ProjectPolicy < BasePolicy
   rule { guest | admin }.enable :read_project_for_iids
 
   rule { admin }.enable :update_max_artifacts_size
+  rule { can?(:read_all_resources) }.enable :read_confidential_issues
 
   rule { guest }.enable :guest_access
   rule { reporter }.enable :reporter_access
@@ -254,6 +261,8 @@ class ProjectPolicy < BasePolicy
     enable :read_prometheus
     enable :read_metrics_dashboard_annotation
     enable :metrics_dashboard
+    enable :read_confidential_issues
+    enable :read_package
   end
 
   # We define `:public_user_access` separately because there are cases in gitlab-ee
@@ -290,12 +299,17 @@ class ProjectPolicy < BasePolicy
     enable :read_metrics_user_starred_dashboard
   end
 
+  rule { packages_disabled | repository_disabled }.policy do
+    prevent(*create_read_update_admin_destroy(:package))
+  end
+
   rule { owner | admin | guest | group_member }.prevent :request_access
   rule { ~request_access_enabled }.prevent :request_access
 
   rule { can?(:developer_access) & can?(:create_issue) }.enable :import_issues
 
   rule { can?(:developer_access) }.policy do
+    enable :create_package
     enable :admin_board
     enable :admin_merge_request
     enable :admin_milestone
@@ -327,6 +341,7 @@ class ProjectPolicy < BasePolicy
     enable :update_alert_management_alert
     enable :create_design
     enable :destroy_design
+    enable :read_terraform_state
   end
 
   rule { can?(:developer_access) & user_confirmed? }.policy do
@@ -336,6 +351,7 @@ class ProjectPolicy < BasePolicy
   end
 
   rule { can?(:maintainer_access) }.policy do
+    enable :destroy_package
     enable :admin_board
     enable :push_to_delete_protected_branch
     enable :update_snippet
@@ -470,6 +486,7 @@ class ProjectPolicy < BasePolicy
   end
 
   rule { can?(:public_access) }.policy do
+    enable :read_package
     enable :read_project
     enable :read_board
     enable :read_list
@@ -545,11 +562,13 @@ class ProjectPolicy < BasePolicy
 
   rule { can?(:read_issue) }.policy do
     enable :read_design
+    enable :read_design_activity
   end
 
   # Design abilities could also be prevented in the issue policy.
   rule { design_management_disabled }.policy do
     prevent :read_design
+    prevent :read_design_activity
     prevent :create_design
     prevent :destroy_design
   end
@@ -576,6 +595,12 @@ class ProjectPolicy < BasePolicy
     enable :read_build_report_results
   end
 
+  rule { support_bot }.enable :guest_access
+  rule { support_bot & ~service_desk_enabled }.policy do
+    prevent :create_note
+    prevent :read_project
+  end
+
   private
 
   def team_member?
@@ -624,6 +649,7 @@ class ProjectPolicy < BasePolicy
 
   def lookup_access_level!
     return ::Gitlab::Access::REPORTER if alert_bot?
+    return ::Gitlab::Access::REPORTER if support_bot? && service_desk_enabled?
 
     # NOTE: max_member_access has its own cache
     project.team.max_member_access(@user.id)
@@ -636,7 +662,7 @@ class ProjectPolicy < BasePolicy
     when ProjectFeature::DISABLED
       false
     when ProjectFeature::PRIVATE
-      admin? || team_access_level >= ProjectFeature.required_minimum_access_level(feature)
+      can?(:read_all_resources) || team_access_level >= ProjectFeature.required_minimum_access_level(feature)
     else
       true
     end
diff --git a/app/policies/releases/source_policy.rb b/app/policies/releases/source_policy.rb
index 8b86b925589..3b11c661237 100644
--- a/app/policies/releases/source_policy.rb
+++ b/app/policies/releases/source_policy.rb
@@ -3,11 +3,5 @@
 module Releases
   class SourcePolicy < BasePolicy
     delegate { @subject.project }
-
-    rule { can?(:public_access) | can?(:reporter_access) }.policy do
-      enable :read_release_sources
-    end
-
-    rule { ~can?(:read_release) }.prevent :read_release_sources
   end
 end
author	GitLab Bot <gitlab-bot@gitlab.com>	2020-07-20 12:26:25 +0000
committer	GitLab Bot <gitlab-bot@gitlab.com>	2020-07-20 12:26:25 +0000
commit	a09983ae35713f5a2bbb100981116d31ce99826e (patch)
tree	2ee2af7bd104d57086db360a7e6d8c9d5d43667a /app/policies
parent	18c5ab32b738c0b6ecb4d0df3994000482f34bd8 (diff)
download	gitlab-ce-a09983ae35713f5a2bbb100981116d31ce99826e.tar.gz