Add latest changes from gitlab-org/gitlab@master

9 files changed, 22 insertions, 16 deletions

diff --git a/app/helpers/application_settings_helper.rb b/app/helpers/application_settings_helper.rb
index 2b2ac262848..914120684d3 100644
--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -447,7 +447,8 @@ module ApplicationSettingsHelper
       :pipeline_limit_per_project_user_sha,
       :invitation_flow_enforcement,
       :can_create_group,
-      :bulk_import_enabled
+      :bulk_import_enabled,
+      :allow_runner_registration_token
     ].tap do |settings|
       next if Gitlab.com?
 
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index 3fb1f58f3e0..fb62271e19b 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -694,6 +694,10 @@ class ApplicationSetting < ApplicationRecord
             allow_nil: false,
             inclusion: { in: [true, false], message: N_('must be a boolean value') }
 
+  validates :allow_runner_registration_token,
+            allow_nil: false,
+            inclusion: { in: [true, false], message: N_('must be a boolean value') }
+
   before_validation :ensure_uuid!
   before_validation :coerce_repository_storages_weighted, if: :repository_storages_weighted_changed?
   before_validation :normalize_default_branch_name
diff --git a/app/models/application_setting_implementation.rb b/app/models/application_setting_implementation.rb
index 229c4e68d79..ab035bfab0b 100644
--- a/app/models/application_setting_implementation.rb
+++ b/app/models/application_setting_implementation.rb
@@ -245,7 +245,8 @@ module ApplicationSettingImplementation
         users_get_by_id_limit: 300,
         users_get_by_id_limit_allowlist: [],
         can_create_group: true,
-        bulk_import_enabled: false
+        bulk_import_enabled: false,
+        allow_runner_registration_token: true
       }
     end
 
diff --git a/app/policies/issuable_policy.rb b/app/policies/issuable_policy.rb
index aa07bb7dc5f..fae66498038 100644
--- a/app/policies/issuable_policy.rb
+++ b/app/policies/issuable_policy.rb
@@ -55,7 +55,7 @@ class IssuablePolicy < BasePolicy
     enable :read_issuable_participables
   end
 
-  # This rule replicates permissions in NotePolicy#can_read_confidential
+  # This rule replicates permissions in NotePolicy#can_read_internal_note
   rule { can?(:reporter_access) | admin }.policy do
     enable :read_internal_note
   end
diff --git a/app/policies/issue_policy.rb b/app/policies/issue_policy.rb
index 2bc535adf41..12d83735d22 100644
--- a/app/policies/issue_policy.rb
+++ b/app/policies/issue_policy.rb
@@ -83,7 +83,7 @@ class IssuePolicy < IssuablePolicy
   end
 
   rule { can?(:reporter_access) }.policy do
-    enable :mark_note_as_confidential
+    enable :mark_note_as_internal
   end
 end
 
diff --git a/app/policies/note_policy.rb b/app/policies/note_policy.rb
index 67b57595beb..2118088604b 100644
--- a/app/policies/note_policy.rb
+++ b/app/policies/note_policy.rb
@@ -18,11 +18,11 @@ class NotePolicy < BasePolicy
 
   condition(:is_visible) { @subject.system_note_visible_for?(@user) }
 
-  condition(:confidential, scope: :subject) { @subject.confidential? }
+  condition(:internal, scope: :subject) { @subject.confidential? }
 
   # Should be matched with IssuablePolicy#read_internal_note
   # and EpicPolicy#read_internal_note
-  condition(:can_read_confidential) do
+  condition(:can_read_internal_note) do
     access_level >= Gitlab::Access::REPORTER || admin?
   end
 
@@ -59,11 +59,11 @@ class NotePolicy < BasePolicy
     enable :resolve_note
   end
 
-  rule { can_read_confidential }.policy do
-    enable :mark_note_as_confidential
+  rule { can_read_internal_note }.policy do
+    enable :mark_note_as_internal
   end
 
-  rule { confidential & ~can_read_confidential }.policy do
+  rule { internal & ~can_read_internal_note }.policy do
     prevent :read_note
     prevent :admin_note
     prevent :resolve_note
diff --git a/app/policies/todo_policy.rb b/app/policies/todo_policy.rb
index d63eb9407f8..3b4be29664f 100644
--- a/app/policies/todo_policy.rb
+++ b/app/policies/todo_policy.rb
@@ -11,18 +11,18 @@ class TodoPolicy < BasePolicy
     @user && @subject.target&.readable_by?(@user)
   end
 
-  desc "Todo has confidential note"
-  condition(:has_confidential_note, scope: :subject) { @subject&.note&.confidential? }
+  desc "Todo has internal note"
+  condition(:has_internal_note, scope: :subject) { @subject&.note&.confidential? }
 
-  desc "User can read the todo's confidential note"
-  condition(:can_read_todo_confidential_note) do
+  desc "User can read the todo's internal note"
+  condition(:can_read_todo_internal_note) do
     @user && @user.can?(:read_internal_note, @subject.target)
   end
 
   rule { own_todo & can_read_target }.enable :read_todo
   rule { can?(:read_todo) }.enable :update_todo
 
-  rule { has_confidential_note & ~can_read_todo_confidential_note }.policy do
+  rule { has_internal_note & ~can_read_todo_internal_note }.policy do
     prevent :read_todo
     prevent :update_todo
   end
diff --git a/app/serializers/issue_entity.rb b/app/serializers/issue_entity.rb
index 397f333008c..a38f345f617 100644
--- a/app/serializers/issue_entity.rb
+++ b/app/serializers/issue_entity.rb
@@ -48,7 +48,7 @@ class IssueEntity < IssuableEntity
     end
 
     expose :can_create_confidential_note do |issue|
-      can?(request.current_user, :mark_note_as_confidential, issue)
+      can?(request.current_user, :mark_note_as_internal, issue)
     end
 
     expose :can_update do |issue|
diff --git a/app/services/notes/build_service.rb b/app/services/notes/build_service.rb
index cc5c81cf280..e6766273441 100644
--- a/app/services/notes/build_service.rb
+++ b/app/services/notes/build_service.rb
@@ -35,7 +35,7 @@ module Notes
       note.author = current_user
 
       parent_confidential = discussion&.confidential?
-      can_set_confidential = can?(current_user, :mark_note_as_confidential, note)
+      can_set_confidential = can?(current_user, :mark_note_as_internal, note)
 
       return discussion_not_found if parent_confidential && !can_set_confidential