diff options
Diffstat (limited to 'app/policies/group_policy.rb')
-rw-r--r-- | app/policies/group_policy.rb | 37 |
1 files changed, 36 insertions, 1 deletions
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index c98e82efef7..f9ec026a6d2 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -46,6 +46,19 @@ class GroupPolicy < BasePolicy group_projects_for(user: @user, group: @subject, only_owned: false).any? { |p| p.design_management_enabled? } end + desc "Deploy token with read_package_registry scope" + condition(:read_package_registry_deploy_token) do + @user.is_a?(DeployToken) && @user.groups.include?(@subject) && @user.read_package_registry + end + + desc "Deploy token with write_package_registry scope" + condition(:write_package_registry_deploy_token) do + @user.is_a?(DeployToken) && @user.groups.include?(@subject) && @user.write_package_registry + end + + with_scope :subject + condition(:resource_access_token_available) { resource_access_token_available? } + rule { design_management_enabled }.policy do enable :read_design_activity end @@ -91,7 +104,6 @@ class GroupPolicy < BasePolicy rule { developer }.policy do enable :admin_milestone - enable :read_package enable :create_metrics_dashboard_annotation enable :delete_metrics_dashboard_annotation enable :update_metrics_dashboard_annotation @@ -105,6 +117,7 @@ class GroupPolicy < BasePolicy enable :admin_issue enable :read_metrics_dashboard_annotation enable :read_prometheus + enable :read_package end rule { maintainer }.policy do @@ -167,6 +180,20 @@ class GroupPolicy < BasePolicy rule { maintainer & can?(:create_projects) }.enable :transfer_projects + rule { read_package_registry_deploy_token }.policy do + enable :read_package + enable :read_group + end + + rule { write_package_registry_deploy_token }.policy do + enable :create_package + enable :read_group + end + + rule { resource_access_token_available & can?(:admin_group) }.policy do + enable :admin_resource_access_tokens + end + def access_level return GroupMember::NO_ACCESS if @user.nil? return GroupMember::NO_ACCESS unless user_is_user? @@ -183,6 +210,14 @@ class GroupPolicy < BasePolicy def user_is_user? user.is_a?(User) end + + def group + @subject + end + + def resource_access_token_available? + true + end end GroupPolicy.prepend_if_ee('EE::GroupPolicy') |