1 files changed, 49 insertions, 3 deletions

diff --git a/app/policies/ci/runner_policy.rb b/app/policies/ci/runner_policy.rb
index 8a99f4d1a3e..a52dac446ea 100644
--- a/app/policies/ci/runner_policy.rb
+++ b/app/policies/ci/runner_policy.rb
@@ -9,19 +9,65 @@ module Ci
       @user.owns_runner?(@subject)
     end
 
-    condition(:belongs_to_multiple_projects) do
+    with_options scope: :subject, score: 0
+    condition(:is_instance_runner) do
+      @subject.instance_type?
+    end
+
+    with_options scope: :subject, score: 0
+    condition(:is_group_runner) do
+      @subject.group_type?
+    end
+
+    with_options scope: :user, score: 5
+    condition(:any_developer_groups_inheriting_shared_runners) do
+      @user.developer_groups.with_shared_runners_enabled.any?
+    end
+
+    with_options scope: :user, score: 5
+    condition(:any_developer_projects_inheriting_shared_runners) do
+      @user.authorized_projects(Gitlab::Access::DEVELOPER).with_shared_runners_enabled.any?
+    end
+
+    with_options score: 10
+    condition(:any_associated_projects_in_group_runner_inheriting_group_runners) do
+      # Check if any projects where user is a developer are inheriting group runners
+      @subject.groups&.any? do |group|
+        group.all_projects
+             .with_group_runners_enabled
+             .visible_to_user_and_access_level(@user, Gitlab::Access::DEVELOPER)
+             .exists?
+      end
+    end
+
+    condition(:belongs_to_multiple_projects, scope: :subject) do
       @subject.belongs_to_more_than_one_project?
     end
 
     rule { anonymous }.prevent_all
 
-    rule { admin }.policy do
+    rule { admin | owned_runner }.policy do
       enable :read_builds
     end
 
     rule { admin | owned_runner }.policy do
-      enable :assign_runner
       enable :read_runner
+    end
+
+    rule { is_instance_runner & any_developer_groups_inheriting_shared_runners }.policy do
+      enable :read_runner
+    end
+
+    rule { is_instance_runner & any_developer_projects_inheriting_shared_runners }.policy do
+      enable :read_runner
+    end
+
+    rule { is_group_runner & any_associated_projects_in_group_runner_inheriting_group_runners }.policy do
+      enable :read_runner
+    end
+
+    rule { admin | owned_runner }.policy do
+      enable :assign_runner
       enable :update_runner
       enable :delete_runner
     end