Add latest changes from gitlab-org/gitlab@13-10-stable-eev13.10.0-rc40

9 files changed, 44 insertions, 23 deletions

diff --git a/app/policies/analytics/instance_statistics/measurement_policy.rb b/app/policies/analytics/usage_trends/measurement_policy.rb
index 3d6a5a08ff6..da3c0927ea5 100644
--- a/app/policies/analytics/instance_statistics/measurement_policy.rb
+++ b/app/policies/analytics/usage_trends/measurement_policy.rb
@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 module Analytics
-  module InstanceStatistics
+  module UsageTrends
     class MeasurementPolicy < BasePolicy
       delegate { :global }
     end
diff --git a/app/policies/base_policy.rb b/app/policies/base_policy.rb
index 51694ec7c50..e32a889c906 100644
--- a/app/policies/base_policy.rb
+++ b/app/policies/base_policy.rb
@@ -55,14 +55,17 @@ class BasePolicy < DeclarativePolicy::Base
     prevent :read_cross_project
   end
 
-  # Policy extended in EE to also enable auditors
-  rule { admin }.enable :read_all_resources
+  rule { admin }.policy do
+    # Only for actual administrator accounts, behaviour affected by admin mode application setting
+    enable :admin_all_resources
+    # Policy extended in EE to also enable auditors
+    enable :read_all_resources
+    enable :change_repository_storage
+  end
 
   rule { default }.enable :read_cross_project
 
   condition(:is_gitlab_com) { ::Gitlab.dev_env_or_com? }
-
-  rule { admin }.enable :change_repository_storage
 end
 
 BasePolicy.prepend_if_ee('EE::BasePolicy')
diff --git a/app/policies/concerns/readonly_abilities.rb b/app/policies/concerns/readonly_abilities.rb
index a267e963541..0303d4cff14 100644
--- a/app/policies/concerns/readonly_abilities.rb
+++ b/app/policies/concerns/readonly_abilities.rb
@@ -17,7 +17,7 @@ module ReadonlyAbilities
 
   READONLY_FEATURES = %i[
     issue
-    list
+    issue_board_list
     merge_request
     label
     milestone
diff --git a/app/policies/global_policy.rb b/app/policies/global_policy.rb
index 9c79a797a6a..5ee34ebbb2f 100644
--- a/app/policies/global_policy.rb
+++ b/app/policies/global_policy.rb
@@ -100,7 +100,7 @@ class GlobalPolicy < BasePolicy
     enable :update_custom_attribute
     enable :approve_user
     enable :reject_user
-    enable :read_instance_statistics_measurements
+    enable :read_usage_trends_measurement
   end
 
   # We can't use `read_statistics` because the user may have different permissions for different projects
diff --git a/app/policies/group_member_policy.rb b/app/policies/group_member_policy.rb
index 09cac96e3a5..1dd650c8a90 100644
--- a/app/policies/group_member_policy.rb
+++ b/app/policies/group_member_policy.rb
@@ -4,7 +4,7 @@ class GroupMemberPolicy < BasePolicy
   delegate :group
 
   with_scope :subject
-  condition(:last_owner) { @subject.group.last_owner?(@subject.user) }
+  condition(:last_owner) { @subject.group.last_owner?(@subject.user) || @subject.group.last_blocked_owner?(@subject.user) }
 
   desc "Membership is users' own"
   with_score 0
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index 7dd88fcc1ff..53286cf1fdf 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -97,9 +97,9 @@ class GroupPolicy < BasePolicy
 
   rule { can?(:read_group) }.policy do
     enable :read_milestone
-    enable :read_list
+    enable :read_issue_board_list
     enable :read_label
-    enable :read_board
+    enable :read_issue_board
     enable :read_group_member
     enable :read_custom_emoji
   end
@@ -122,9 +122,9 @@ class GroupPolicy < BasePolicy
   rule { reporter }.policy do
     enable :reporter_access
     enable :read_container_image
-    enable :admin_board
+    enable :admin_issue_board
     enable :admin_label
-    enable :admin_list
+    enable :admin_issue_board_list
     enable :admin_issue
     enable :read_metrics_dashboard_annotation
     enable :read_prometheus
diff --git a/app/policies/merge_request_policy.rb b/app/policies/merge_request_policy.rb
index d5ba42d750c..e3fb54172f8 100644
--- a/app/policies/merge_request_policy.rb
+++ b/app/policies/merge_request_policy.rb
@@ -9,7 +9,10 @@ class MergeRequestPolicy < IssuablePolicy
   # Although :read_merge_request is computed in the policy context,
   # it would not be safe to prevent :create_note there, since
   # note permissions are shared, and this would apply too broadly.
-  rule { ~can?(:read_merge_request) }.prevent :create_note
+  rule { ~can?(:read_merge_request) }.policy do
+    prevent :create_note
+    prevent :accept_merge_request
+  end
 
   rule { can?(:update_merge_request) }.policy do
     enable :approve_merge_request
@@ -18,6 +21,12 @@ class MergeRequestPolicy < IssuablePolicy
   rule { ~anonymous & can?(:read_merge_request) }.policy do
     enable :create_todo
   end
+
+  condition(:can_merge) { @subject.can_be_merged_by?(@user) }
+
+  rule { can_merge }.policy do
+    enable :accept_merge_request
+  end
 end
 
 MergeRequestPolicy.prepend_if_ee('EE::MergeRequestPolicy')
diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb
index 2bf6b6c3161..38f0f165376 100644
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -57,6 +57,10 @@ class NotePolicy < BasePolicy
     enable :resolve_note
   end
 
+  rule { can_read_confidential }.policy do
+    enable :mark_note_as_confidential
+  end
+
   rule { confidential & ~can_read_confidential }.policy do
     prevent :read_note
     prevent :admin_note
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index aaf985d6c63..de80f2f72b8 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -156,6 +156,7 @@ class ProjectPolicy < BasePolicy
     metrics_dashboard
     analytics
     operations
+    security_and_compliance
   ]
 
   features.each do |f|
@@ -203,8 +204,8 @@ class ProjectPolicy < BasePolicy
   rule { can?(:guest_access) }.policy do
     enable :read_project
     enable :create_merge_request_in
-    enable :read_board
-    enable :read_list
+    enable :read_issue_board
+    enable :read_issue_board_list
     enable :read_wiki
     enable :read_issue
     enable :read_label
@@ -230,7 +231,7 @@ class ProjectPolicy < BasePolicy
   rule { guest & can?(:read_container_image) }.enable :build_read_container_image
 
   rule { can?(:reporter_access) }.policy do
-    enable :admin_board
+    enable :admin_issue_board
     enable :download_code
     enable :read_statistics
     enable :download_wiki_code
@@ -239,7 +240,7 @@ class ProjectPolicy < BasePolicy
     enable :reopen_issue
     enable :admin_issue
     enable :admin_label
-    enable :admin_list
+    enable :admin_issue_board_list
     enable :admin_issue_link
     enable :read_commit_status
     enable :read_build
@@ -318,7 +319,7 @@ class ProjectPolicy < BasePolicy
 
   rule { can?(:developer_access) }.policy do
     enable :create_package
-    enable :admin_board
+    enable :admin_issue_board
     enable :admin_merge_request
     enable :admin_milestone
     enable :update_merge_request
@@ -368,7 +369,7 @@ class ProjectPolicy < BasePolicy
 
   rule { can?(:maintainer_access) }.policy do
     enable :destroy_package
-    enable :admin_board
+    enable :admin_issue_board
     enable :push_to_delete_protected_branch
     enable :update_snippet
     enable :admin_snippet
@@ -428,8 +429,8 @@ class ProjectPolicy < BasePolicy
 
   rule { issues_disabled }.policy do
     prevent(*create_read_update_admin_destroy(:issue))
-    prevent(*create_read_update_admin_destroy(:board))
-    prevent(*create_read_update_admin_destroy(:list))
+    prevent(*create_read_update_admin_destroy(:issue_board))
+    prevent(*create_read_update_admin_destroy(:issue_board_list))
   end
 
   rule { merge_requests_disabled | repository_disabled }.policy do
@@ -506,8 +507,8 @@ class ProjectPolicy < BasePolicy
   rule { can?(:public_access) }.policy do
     enable :read_package
     enable :read_project
-    enable :read_board
-    enable :read_list
+    enable :read_issue_board
+    enable :read_issue_board_list
     enable :read_wiki
     enable :read_label
     enable :read_milestone
@@ -640,6 +641,10 @@ class ProjectPolicy < BasePolicy
     enable :set_pipeline_variables
   end
 
+  rule { ~security_and_compliance_disabled & can?(:developer_access) }.policy do
+    enable :access_security_and_compliance
+  end
+
   private
 
   def user_is_user?