diff options
Diffstat (limited to 'app/policies/project_policy.rb')
-rw-r--r-- | app/policies/project_policy.rb | 35 |
1 files changed, 17 insertions, 18 deletions
diff --git a/app/policies/project_policy.rb b/app/policies/project_policy.rb index 8df4fc5e88c..f87c72007ec 100644 --- a/app/policies/project_policy.rb +++ b/app/policies/project_policy.rb @@ -147,6 +147,10 @@ class ProjectPolicy < BasePolicy @user && @user.confirmed? end + condition(:build_service_proxy_enabled) do + ::Feature.enabled?(:build_service_proxy, @subject) + end + features = %w[ merge_requests issues @@ -278,7 +282,6 @@ class ProjectPolicy < BasePolicy rule { can?(:metrics_dashboard) }.policy do enable :read_prometheus - enable :read_environment enable :read_deployment end @@ -429,27 +432,11 @@ class ProjectPolicy < BasePolicy rule { builds_disabled | repository_disabled }.policy do prevent(*create_read_update_admin_destroy(:build)) prevent(*create_read_update_admin_destroy(:pipeline_schedule)) + prevent(*create_read_update_admin_destroy(:environment)) prevent(*create_read_update_admin_destroy(:cluster)) prevent(*create_read_update_admin_destroy(:deployment)) end - # Enabling `read_environment` specifically for the condition of `metrics_dashboard_allowed` is - # necessary due to the route for metrics dashboard requiring an environment id. - # This will be addressed in https://gitlab.com/gitlab-org/gitlab/-/issues/213833 when - # environments and metrics are decoupled and these rules will be removed. - - rule { (builds_disabled | repository_disabled) & ~metrics_dashboard_allowed}.policy do - prevent(*create_read_update_admin_destroy(:environment)) - end - - rule { (builds_disabled | repository_disabled) & metrics_dashboard_allowed}.policy do - prevent :create_environment - prevent :update_environment - prevent :admin_environment - prevent :destroy_environment - enable :read_environment - end - # There's two separate cases when builds_disabled is true: # 1. When internal CI is disabled - builds_disabled && internal_builds_disabled # - We do not prevent the user from accessing Pipelines to allow them to access external CI @@ -577,6 +564,18 @@ class ProjectPolicy < BasePolicy enable :read_project end + rule { can?(:create_pipeline) & can?(:maintainer_access) }.enable :create_web_ide_terminal + + rule { build_service_proxy_enabled }.enable :build_service_proxy_enabled + + rule { can?(:download_code) }.policy do + enable :read_repository_graphs + end + + rule { can?(:read_build) & can?(:read_pipeline) }.policy do + enable :read_build_report_results + end + private def team_member? |