Add latest changes from gitlab-org/security/gitlab@15-0-stable-ee

3 files changed, 6 insertions, 2 deletions

diff --git a/app/policies/ci/build_policy.rb b/app/policies/ci/build_policy.rb
index 6162a31c118..f377ff85b5e 100644
--- a/app/policies/ci/build_policy.rb
+++ b/app/policies/ci/build_policy.rb
@@ -84,7 +84,7 @@ module Ci
       enable :update_commit_status
     end
 
-    rule { can?(:update_build) & terminal }.enable :create_build_terminal
+    rule { can?(:update_build) & terminal & owner_of_job }.enable :create_build_terminal
 
     rule { can?(:update_build) }.enable :play_job
 
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb
index 60519dc346b..7c439fe8b29 100644
--- a/app/policies/project_policy.rb
+++ b/app/policies/project_policy.rb
@@ -748,6 +748,10 @@ class ProjectPolicy < BasePolicy
     prevent :register_project_runners
   end
 
+  rule { can?(:admin_project_member) }.policy do
+    enable :import_project_members_from_another_project
+  end
+
   private
 
   def user_is_user?
diff --git a/app/services/members/import_project_team_service.rb b/app/services/members/import_project_team_service.rb
index 5f4d5414cfa..6efd65e2575 100644
--- a/app/services/members/import_project_team_service.rb
+++ b/app/services/members/import_project_team_service.rb
@@ -29,7 +29,7 @@ module Members
     def import_project_team
       return false unless target_project.present? && source_project.present? && current_user.present?
       return false unless can?(current_user, :read_project_member, source_project)
-      return false unless can?(current_user, :admin_project_member, target_project)
+      return false unless can?(current_user, :import_project_members_from_another_project, target_project)
 
       target_project.team.import(source_project, current_user)
     end