diff options
Diffstat (limited to 'app/policies/group_policy.rb')
-rw-r--r-- | app/policies/group_policy.rb | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/app/policies/group_policy.rb b/app/policies/group_policy.rb index b2325b7acac..6cc65248914 100644 --- a/app/policies/group_policy.rb +++ b/app/policies/group_policy.rb @@ -76,6 +76,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy with_scope :subject condition(:resource_access_token_feature_available) { resource_access_token_feature_available? } condition(:resource_access_token_creation_allowed) { resource_access_token_creation_allowed? } + condition(:resource_access_token_create_feature_available) { resource_access_token_create_feature_available? } with_scope :subject condition(:has_project_with_service_desk_enabled) { @subject.has_project_with_service_desk_enabled? } @@ -83,6 +84,10 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy with_scope :subject condition(:crm_enabled, score: 0, scope: :subject) { @subject.crm_enabled? } + condition(:create_runner_workflow_enabled) do + Feature.enabled?(:create_runner_workflow) + end + condition(:group_runner_registration_allowed, scope: :subject) do Gitlab::CurrentSettings.valid_runner_registrars.include?('group') && @subject.runner_registration_enabled? end @@ -199,6 +204,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_group_runners enable :admin_group_runners enable :register_group_runners + enable :create_group_runners enable :set_note_created_at enable :set_emails_disabled @@ -277,8 +283,8 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :destroy_resource_access_tokens end - rule { can?(:admin_group) & resource_access_token_creation_allowed }.policy do - enable :admin_setting_to_allow_project_access_token_creation + rule { can?(:admin_group) & resource_access_token_create_feature_available }.policy do + enable :admin_setting_to_allow_resource_access_token_creation end rule { resource_access_token_creation_allowed & can?(:read_resource_access_tokens) }.policy do @@ -307,6 +313,7 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy rule { ~admin & ~group_runner_registration_allowed }.policy do prevent :register_group_runners + prevent :create_group_runners end rule { migration_bot }.policy do @@ -318,6 +325,13 @@ class GroupPolicy < Namespaces::GroupProjectNamespaceSharedPolicy enable :read_observability end + rule { ~create_runner_workflow_enabled }.policy do + prevent :create_group_runners + end + + # Should be matched with ProjectPolicy#read_internal_note + rule { admin | reporter }.enable :read_internal_note + def access_level(for_any_session: false) return GroupMember::NO_ACCESS if @user.nil? return GroupMember::NO_ACCESS unless user_is_user? |