1 files changed, 20 insertions, 0 deletions

diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb
index f9ec026a6d2..231843c5f23 100644
--- a/app/policies/group_policy.rb
+++ b/app/policies/group_policy.rb
@@ -46,6 +46,10 @@ class GroupPolicy < BasePolicy
     group_projects_for(user: @user, group: @subject, only_owned: false).any? { |p| p.design_management_enabled? }
   end
 
+  condition(:dependency_proxy_available) do
+    @subject.dependency_proxy_feature_available?
+  end
+
   desc "Deploy token with read_package_registry scope"
   condition(:read_package_registry_deploy_token) do
     @user.is_a?(DeployToken) && @user.groups.include?(@subject) && @user.read_package_registry
@@ -59,6 +63,9 @@ class GroupPolicy < BasePolicy
   with_scope :subject
   condition(:resource_access_token_available) { resource_access_token_available? }
 
+  with_scope :subject
+  condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? }
+
   rule { design_management_enabled }.policy do
     enable :read_design_activity
   end
@@ -94,6 +101,7 @@ class GroupPolicy < BasePolicy
     enable :read_label
     enable :read_board
     enable :read_group_member
+    enable :read_custom_emoji
   end
 
   rule { ~can?(:read_group) }.policy do
@@ -107,6 +115,7 @@ class GroupPolicy < BasePolicy
     enable :create_metrics_dashboard_annotation
     enable :delete_metrics_dashboard_annotation
     enable :update_metrics_dashboard_annotation
+    enable :create_custom_emoji
   end
 
   rule { reporter }.policy do
@@ -187,13 +196,24 @@ class GroupPolicy < BasePolicy
 
   rule { write_package_registry_deploy_token }.policy do
     enable :create_package
+    enable :read_package
     enable :read_group
   end
 
+  rule { can?(:read_group) & dependency_proxy_available }
+    .enable :read_dependency_proxy
+
+  rule { developer & dependency_proxy_available }
+    .enable :admin_dependency_proxy
+
   rule { resource_access_token_available & can?(:admin_group) }.policy do
     enable :admin_resource_access_tokens
   end
 
+  rule { support_bot & has_project_with_service_desk_enabled }.policy do
+    enable :read_label
+  end
+
   def access_level
     return GroupMember::NO_ACCESS if @user.nil?
     return GroupMember::NO_ACCESS unless user_is_user?